b"Evaluation Report\n\n\n\n\nOIG-CA-14-006\nINFORMATION TECHNOLOGY: The Department of the Treasury\nFederal Information Security Management Act Fiscal Year 2013\nEvaluation\nNovember 25, 2013\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c    THIS PAGE INTENTIONALLY LEFT BLANK\n\xc2\xa0\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                            November 25, 2013\n\n\n           MEMORANDUM FOR NANI COLORETTI\n                          ASSISTANT SECRETARY FOR MANAGEMENT\n\n                                   ROBYN EAST\n                                   DEPUTY ASSISTANT SECRETARY FOR INFORMATION\n                                     SYSTEMS AND CHIEF INFORMATION OFFICER\n\n           FROM:                   Marla A. Freedman /s/\n                                   Assistant Inspector General for Audit\n\n           SUBJECT:                Evaluation Report \xe2\x80\x93 The Department of the Treasury\xe2\x80\x99s Federal\n                                   Information Security Management Act Fiscal Year 2013\n                                   Evaluation\n\n           We are pleased to transmit the following reports:\n\n                \xe2\x80\xa2   The Department of the Treasury Federal Information Security Management\n                    Act Fiscal Year 2013 Evaluation (Attachment 1), and\n\n                \xe2\x80\xa2   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal Information\n                    Security Management Act Report for Fiscal Year 2013 (Attachment 2).\n\n           The Federal Information Security Management Act of 2002 (FISMA) requires\n           federal agencies, including the Department of the Treasury (Treasury), to have an\n           annual independent evaluation performed of their information security program and\n           practices and to report the results of the evaluations to the Office of Management\n           and Budget (OMB). OMB delegated its responsibility to the Department of\n           Homeland Security (DHS) for the collection of annual FISMA responses. FISMA also\n           requires that the independent evaluation be performed by the agency Inspector\n           General (IG) or an independent external auditor as determined by the IG. To meet\n           our FISMA requirements, we contracted with KPMG LLP (KPMG), an independent\n           certified public accounting firm, to perform the FISMA evaluation of Treasury\xe2\x80\x99s\n           unclassified systems, except for those of the Internal Revenue Service (IRS), which\n           was performed by TIGTA. KPMG conducted its evaluation in accordance with the\n           Council of the Inspectors General on Integrity and Efficiency\xe2\x80\x99s Quality Standards\n           for Inspection and Evaluation.\n\x0cPage 2\n\n\nIn its report, KPMG concluded that Treasury has established an information security\nprogram and related practices for its non-IRS bureaus\xe2\x80\x99 unclassified systems. The\ninformation security program covers the 11 FISMA program areas: continuous\nmonitoring management, configuration management, identity and access\nmanagement, incident and response reporting, risk management, security training,\nplan of action and milestones, remote access management, contingency planning,\ncontractor systems, and security capital planning. While Treasury did establish an\ninformation security program and practices, KPMG identified needed improvements\nin 5 of 11 FISMA program areas and made 11 recommendations to the responsible\nofficials to address the findings.\n\nTIGTA reported that the IRS\xe2\x80\x99s information security program generally complies with\nFISMA, but improvements are needed. Specifically, TIGTA determined that 9 of the\n11 security program areas were generally compliant with the FISMA requirements.\nHowever, TIGTA reported that 2 IRS security program areas were not compliant\nwith FISMA requirements.\n\nBased on the results reported by KPMG and TIGTA, we determined that while\nTreasury\xe2\x80\x99s information security program and practices for its unclassified systems\nare in place and are generally consistent with FISMA, they could be more effective.\nSee appendix III of the attached KPMG report for The Department of the Treasury\xe2\x80\x99s\nConsolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General.\n\nIn connection with the contract with KPMG, we reviewed its report and related\ndocumentation and inquired of its representatives. Our review was differentiated\nfrom an evaluation performed in accordance with Council of the Inspectors General\non Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection and Evaluation.\n\nIf you have any questions or require further information, you may contact me at\n(202) 927-5400, or Tram J. Dang, Director, Information Technology Audit, at\n(202) 927-5171.\n\nAttachments\n\ncc: Edward A. Roback\n    Associate Chief Information Officer\n    Cyber Security\n\x0c            ATTACHMENT 1\n\n       The Department of the Treasury\nFederal Information Security Management Act\n         Fiscal Year 2013 Evaluation,\n             November 18, 2013\n\x0c    THIS PAGE INTENTIONALLY LEFT BLANK\n\xc2\xa0\n\x0cThe Department of the Treasury\nFederal Information Security Management Act\nFiscal Year 2013 Evaluation\n\n\n\n\nNovember 18, 2013\n\n\n\n\nKPMG LLP\n1676 International Drive, Suite 1200\nMcLean, VA 22102\n\x0c                                 The Department of the Treasury\n             Federal Information Security Management Act Fiscal Year 2013 Evaluation\n\n                                                                Table of Contents\n\nFISMA Evaluation Report\nBACKGROUND .......................................................................................................................................... 3\n  Federal Information Security Management Act (FISMA) ........................................................................ 3\n  Department of the Treasury Bureaus/Offices (Bureaus) ........................................................................... 3\n  Department of the Treasury Information Security Management Program................................................ 4\nOVERALL EVALUATION RESULTS ....................................................................................................... 7\nFINDINGS .................................................................................................................................................... 8\n  1. Logical account management activities were not in place or not consistently performed by\n      DO, Mint, and TIGTA ...................................................................................................................... 8\n  2. Security incidents were not reported correctly at Fiscal Service and OIG........................................ 9\n  3. FinCEN and Fiscal Service did not follow NIST guidance for SSPs ............................................. 10\n  4. Contingency planning and testing controls were not fully implemented or operating as\n      designed at TIGTA .......................................................................................................................... 11\n  5. Evidence of successful completion of annual security awareness training was not retained\n      for some users at OIG ..................................................................................................................... 11\nMANAGEMENT RESPONSE TO THE REPORT ................................................................................... 12\n\nAppendices\nAPPENDIX I \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY ............................................................ 18\nAPPENDIX II \xe2\x80\x93 STATUS OF PRIOR-YEAR FINDINGS ....................................................................... 22\nAPPENDIX III \xe2\x80\x93 THE DEPARTMENT OF THE TREASURY\xe2\x80\x99S CONSOLIDATED RESPONSE TO\nDHS\xe2\x80\x99s FISMA 2013 QUESTIONS FOR INSPECTORS GENERAL ....................................................... 42\nAPPENDIX IV \xe2\x80\x93 APPROACH TO SELECTION OF SUBSET OF SYSTEMS ...................................... 54\nAPPENDIX V \xe2\x80\x93 GLOSSARY OF TERMS ............................................................................................... 56\n\x0c                               KPMG LLP\n                               1676 International Drive\n                               McLean, VA 22102\n\n\n\n\nHonorable Eric Thorson\nInspector General, Department of the Treasury\n1500 Pennsylvania Avenue NW\nRoom 4436\nWashington, DC 20220\n\n\nRe: The Department of the Treasury\xe2\x80\x99s Federal Information Security Management Act Fiscal\n    Year 2013 Evaluation\n\nDear Mr. Thorson:\n\nThis report presents the results of our independent evaluation of the Department of the Treasury\xe2\x80\x99s\n(Treasury) information security program and practices. The Federal Information Security Management\nAct of 2002 (FISMA) requires federal agencies, including the Treasury, to have an annual independent\nevaluation performed of their information security programs and practices and to report the results of\nthe evaluations to the Office of Management and Budget (OMB). OMB has delegated its responsibility\nto Department of Homeland Security (DHS) for the collection of annual FISMA responses. DHS has\nprepared the FISMA 2013 questionnaire to collect these responses. Appendix III, The Department of\nthe Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General,\nprovides the Treasury\xe2\x80\x99s response to the questionnaire. FISMA requires that the agency Inspector\nGeneral (IG) or an independent external auditor perform the independent evaluation as determined by\nthe IG. The Treasury Office of Inspector General (OIG) contracted with KPMG LLP (KPMG) to\nconduct this independent evaluation.\n\nWe conducted our independent evaluation in accordance with the Council of the Inspectors General on\nIntegrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection and Evaluation.\n\nThe objective for this independent evaluation was to assess the effectiveness of the Treasury\xe2\x80\x99s\ninformation security program and practices for the period July 1, 2012 to June 30, 2013 for its\nunclassified systems, including the Treasury\xe2\x80\x99s compliance with FISMA and related information\nsecurity policies, procedures, standards, and guidelines. We based our work, in part, on a sample of\nbureau-wide security controls and a limited selection of system-specific security controls across 15-\nselected Treasury information systems. The scope of our work did not include the Internal Revenue\nService (IRS), as that bureau was evaluated by the Treasury Inspector General for Tax Administration\n(TIGTA). The TIGTA report is appended to this report and the findings are included in Appendix III,\nThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for\nInspectors General. Additional details regarding the scope of our independent evaluation are included\nin Appendix I, Objective, Scope & Methodology.\n\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cConsistent with applicable FISMA requirements, OMB policy and guidelines, and the National\nInstitute of Standards and Technology (NIST) standards and guidelines, the Treasury\xe2\x80\x99s information\nsecurity program and practices for its non-IRS bureaus\xe2\x80\x99 unclassified systems have established and are\nmaintaining security programs for the 11 FISMA program areas. 1 However, while the security program\nhas been implemented across the Treasury for its non-IRS bureaus, we identified 5 of 11 FISMA\nprogram areas that needed improvements.\n\n    1. Logical account management activities were not in place or not consistently performed by the\n       Departmental Offices (DO), United States Mint (Mint), and TIGTA.\n    2. Security incidents were not reported correctly at the Bureau of the Fiscal Service (Fiscal\n       Service) and OIG.\n    3. Financial Crimes Enforcement Network (FinCEN) and Fiscal Service did not follow NIST\n       guidance for System Security Plans (SSPs).\n    4. Contingency planning and testing controls were not fully implemented or operating as\n       designed at TIGTA.\n    5. Evidence of successful completion of annual security awareness training was not retained for\n       some users at OIG.\n\nWe have made 11 recommendations related to these control deficiencies that, if effectively addressed\nby management, should strengthen the respective bureaus, offices, and the Treasury\xe2\x80\x99s information\nsecurity program. In a written response, the Treasury Chief Information Officer (CIO) agreed with our\nfindings and recommendations and provided corrective action plans (see Management Response).\nTreasury\xe2\x80\x99s planned corrective actions are responsive to the intent of our recommendations and will be\nevaluated as part of the FY 2014 independent evaluation. We caution that projecting the results of our\nevaluation to future periods is subject to the risks that controls may become inadequate because of\nchanges in technology or because compliance with controls may deteriorate.\n\nAppendix I describes the FISMA evaluation\xe2\x80\x99s objective, scope, and methodology. Appendix II, Status\nof Prior-Year Findings, summarizes the Treasury\xe2\x80\x99s progress in addressing prior-year\nrecommendations. Appendix III provides The Department of the Treasury\xe2\x80\x99s Consolidated Response to\nDHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General. Appendix IV, Approach to Selection of Subset\nof Systems, describes how we selected systems for review. Appendix V contains a glossary of terms\nused in this report.\n\nSincerely,\n\n\n\nNovember 18, 2013\n\n\n1\n  The 11 FISMA program areas are: continuous monitoring management, configuration management, identity and access\nmanagement, incident and response reporting, risk management, security training, plan of action and milestones, remote\naccess management, contingency planning, contractor systems, and security capital planning.\n\n\n\n\n                                                                                                                    Page 2\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\nBACKGROUND\nFederal Information Security Management Act (FISMA)\n\nTitle III of the E-Government Act of 2002 (the Act), commonly referred to as FISMA, focuses on\nimproving oversight of federal information security programs and facilitating progress in correcting\nagency information security weaknesses. FISMA requires federal agencies to develop, document, and\nimplement an agency-wide information security program that provides security for the information and\ninformation systems that support the operations and assets of the agency, including those provided or\nmanaged by another agency, contractor, or other source. The Act assigns specific responsibilities to\nagency heads and Inspectors Generals (IGs) in complying with requirements of FISMA. The Act is\nsupported by the Office of Management and Budget (OMB), agency security policy, and risk-based\nstandards and guidelines published by National Institute of Standards and Technology (NIST) related to\ninformation security practices.\n\nUnder FISMA, agency heads are responsible for providing information security protections\ncommensurate with the risk and magnitude of harm resulting from the unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information and information systems. Agency heads\nare also responsible for complying with the requirements of FISMA and related OMB policies and NIST\nprocedures, standards, and guidelines. FISMA directs federal agencies to report annually to the OMB\nDirector, the Comptroller General of the United States, and selected congressional committees on the\nadequacy and effectiveness of agency information security policies, procedures, and practices and\ncompliance with FISMA. OMB has delegated some responsibility to the Department of Homeland\nSecurity (DHS) in memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the\nExecutive Office of the President and the Department of Homeland Security, for the operational aspects of\nFederal cyber security, such as establishing government-wide incident response and operating the tool to\ncollect FISMA metrics. In addition, FISMA requires agencies to have an annual independent evaluation\nperformed of their information security programs and practices and to report the evaluation results to\nOMB. FISMA states that the independent evaluation is to be performed by the agency IG or an\nindependent external auditor as determined by the IG.\n\nDepartment of the Treasury Bureaus/Offices (Bureaus)\n\nThe Department of the Treasury (Treasury) consists of 12 operating bureaus and offices, including:\n\n     1. Alcohol and Tobacco Tax and Trade Bureau (TTB) \xe2\x80\x93 Responsible for enforcing and\n        administering laws covering the production, use, and distribution of alcohol and tobacco\n        products. TTB also collects excise taxes for firearms and ammunition.\n     2. Bureau of Engraving and Printing (BEP) \xe2\x80\x93 Designs and manufactures United States paper\n        currency, securities, and other official certificates and awards.\n     3. Bureau of the Fiscal Service (Fiscal Service) \xe2\x80\x93 A composition of the legacy Bureau of the\n        Public Debt (BPD) who was responsible for borrowing public debt, and the legacy Financial\n        Management Service (FMS), which received and disbursed all public monies, maintained\n        government accounts, and prepared daily and monthly reports on the status of government\n        finances.\n     4. Community Development Financial Institutions (CDFI) Fund \xe2\x80\x93 Created to expand the\n        availability of credit, investment capital, and financial services in distressed urban and rural\n        communities.\n     5. Departmental Offices (DO) \xe2\x80\x93 Primarily responsible for policy formulation. DO, while not a\n        formal bureau, is composed of offices headed by Assistant Secretaries, some of whom report to\n\n\n\n                                                                                                     Page 3\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\n         Under Secretaries. These offices include domestic finance, economic policy, General Council,\n         International Affairs, Legislative Affairs, Management, Public Affairs, Tax Policy, and\n         Terrorism and Finance Intelligence. The Office of Cybersecurity, within the Office of\n         Management, is responsible for the development of information technology (IT) Security\n         Policy.\n     6. Financial Crimes Enforcement Network (FinCEN) \xe2\x80\x93 Supports law enforcement investigative\n         efforts and fosters interagency and global cooperation against domestic and international\n         financial crimes. It also provides United States policy makers with strategic analyses of\n         domestic and worldwide trends and patterns.\n     7. Internal Revenue Service (IRS) \xe2\x80\x93 Responsible for determining, assessing, and collecting\n         internal revenue in the United States.\n     8. Office of the Comptroller of the Currency (OCC) \xe2\x80\x93 Charters, regulates, and supervises\n         national banks and thrift institutions to ensure a safe, sound, and competitive banking system\n         that supports the citizens, communities, and economy of the United States.\n     9. Office of Inspector General (OIG) \xe2\x80\x93 Conducts and supervises audits and investigations of the\n         Treasury programs and operations except for IRS which is under the jurisdictional oversight of\n         the Treasury Inspector General for Tax Administration and the Troubled Asset Relief Program\n         (TARP), which is under the jurisdictional oversight of the Special Inspector General. The OIG\n         also keeps the Secretary and the Congress fully and currently informed about problems, abuses,\n         and deficiencies in the Treasury programs and operations.\n     10. United States Mint (Mint) \xe2\x80\x93 Designs and manufactures domestic, bullion, and foreign coins as\n         well as commemorative medals and other numismatic items. The Mint also distributes United\n         States coins to the Federal Reserve banks as well as maintains physical custody and protection\n         of our nation\xe2\x80\x99s silver and gold assets.\n     11. Special Inspector General for the Troubled Asset Relief Program (SIGTARP) \xe2\x80\x93 Has the\n         responsibility to conduct, supervise, and coordinate audits and investigations of the purchase,\n         management, and sale of assets under the TARP. SIGTARP\xe2\x80\x99s goal is to promote economic\n         stability by assiduously protecting the interests of those who fund the TARP programs (i.e., the\n         American taxpayers).\n     12. Treasury Inspector General for Tax Administration (TIGTA) \xe2\x80\x93 Conducts and supervises\n         audits and investigations of IRS programs and operations. TIGTA also keeps the Secretary and\n         the Congress fully and currently informed about problems, abuses, and deficiencies in IRS\n         programs and operations.\n\nThe scope of our 2013 FISMA evaluation did not include the IRS, which was evaluated by TIGTA. The\nTIGTA report is appended to this report and the findings of that report are included in Appendix III, The\nDepartment of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors\nGeneral.\n\nDepartment of the Treasury Information Security Management Program\n\nTreasury Office of the Chief Information Officer (OCIO)\n\nThe Treasury Chief Information Officer (CIO) is responsible for providing Treasury-wide leadership and\ndirection for all areas of information and technology management, as well as the oversight of a number of\nIT programs. Among these programs is Cyber Security, which has responsibility for the implementation\nand management of Treasury-wide IT security programs and practices. Through its mission, the OCIO\nCyber Security Program develops and implements IT security policies and provides policy compliance\noversight for both unclassified and classified systems managed by each of the Treasury\xe2\x80\x99s bureaus. The\nOCIO Cyber Security Program\xe2\x80\x99s mission focuses on the following areas:\n\n\n\n                                                                                                    Page 4\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\n\n   1. Cyber Security Policy \xe2\x80\x93 Manages and coordinates the Departmental cyber security policy for\n      sensitive (unclassified) systems throughout the Treasury, assuring these policies and requirements\n      are updated to address today\xe2\x80\x99s threat environment, and conducts program performance, progress\n      monitoring, and analysis.\n   2. Performance Monitoring and Reporting \xe2\x80\x93 Implements collection of Federal and Treasury-\n      specific security measures and reports those to national authorities and in appropriate summary or\n      dashboard form to senior management, IT managers, security officials, and Bureau officials. For\n      example, this includes preparation and submission of the annual FISMA report and more frequent\n      continuous monitoring information through CyberScope.\n   3. Cyber Security Reviews \xe2\x80\x93 Conducts technical and program reviews to help strengthen the\n      overall cyber security posture of the Treasury and meet their oversight responsibilities.\n   4. Enterprise-wide Security \xe2\x80\x93 Works with the Bureaus\xe2\x80\x99 and the Treasury\xe2\x80\x99s Government Security\n      Operations Center to deploy new Treasury-wide capabilities or integrate those already in place, as\n      appropriate, to strengthen the overall protection of the Treasury.\n   5. Understanding Security Risks and Opportunities from New Technologies \xe2\x80\x93 Analyzes new\n      information and security technologies to determine risks (e.g., introduction of new vulnerabilities)\n      and opportunities (e.g., new means to provide secure and original functionality for users). OCIO\n      seeks to understand these technologies, their associated risks and opportunities, and share and use\n      that information to the Treasury\xe2\x80\x99s advantage.\n   6. Treasury Computer Security Incident Response Capability (TCSIRC) \xe2\x80\x93 Provides incident\n      reporting with external reporting entities and conducts performance monitoring and analyses of\n      the Computer Security Incident Response Center (CSIRC) within the Treasury and each Bureau\xe2\x80\x99s\n      CSIRC.\n   7. National Security Systems \xe2\x80\x93 Manages and coordinates the Treasury-wide program to address the\n      cyber security requirements of national security systems through the development of policy and\n      program or technical security performance reviews.\n   8. Cyber Security Sub-Council (CSS) of the CIO Council \xe2\x80\x93 Operates to serve as the formal means\n      for gaining bureau input and advice as new policies are developed, enterprise-wide activities are\n      considered, and performance measures are developed and implemented; provides a structured\n      means for information-sharing among the bureaus.\n\nThe Treasury CIO has tasked the Associate Chief Information Officer for Cyber Security (ACIOCS) with\nthe responsibility of managing and directing the OCIO\xe2\x80\x99s Cyber Security program, as well as ensuring\ncompliance with statutes, regulations, policies, and guidance. In this regard, Treasury Directive\nPublication (TD P) 85-01 Volume I, Treasury Information Technology Security Program, serves as the\nTreasury IT security policy to provide for information security for all information and information\nsystems that support the mission of the Treasury, including those operated by another Federal agency or\ncontractor on behalf of the Treasury. In addition, as OMB periodically releases updates/clarifications of\nFISMA or as NIST releases updates to publications, the ACIOCS and the Cyber Security Program have\nresponsibility to interpret and release updated policy for the Treasury. The ACIOCS and the Cyber\nSecurity Program are also responsible for promoting and coordinating a Treasury IT security program, as\nwell as monitoring and evaluating the status of Treasury\xe2\x80\x99s IT security posture and compliance with\nstatutes, regulations, policies, and guidance. Lastly, the ACIOCS has the responsibility of managing\nTreasury\xe2\x80\x99s IT Critical Infrastructure Protection (CIP) program for Treasury IT assets.\n\nBureau CIOs\n\nOrganizationally, the Treasury has established Treasury CIO and bureau-level CIOs. The CIOs are\nresponsible for managing the IT security program for their bureau, as well as advising the bureau head on\nsignificant issues related to the bureau IT security program. The CIOs also have the responsibility for\n\n\n                                                                                                    Page 5\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\noverseeing the development of procedures that comply with the Treasury OCIO policy and guidance and\nfederal statutes, regulations, policy, and guidance. The bureau Chief Information Security Officers\n(CISO) are tasked by their respective CIOs to serve as the central point of contact for the bureau\xe2\x80\x99s IT\nsecurity program, as well as to develop and oversee the bureau\xe2\x80\x99s IT security program. This includes the\ndevelopment of policies, procedures, and guidance required to implement and monitor the bureau IT\nsecurity program.\n\nDepartment of the Treasury \xe2\x80\x93 Bureau OCIO Collaboration\n\nThe Treasury OCIO has established the CIO CSS, which is co-chaired by the ACIOCS and a bureau CIO.\nThe CSS serves as a mechanism for obtaining bureau-level input and advises on new policies, Treasury\nIT security activities, and performance measures. The CSS also provides a means for sharing IT security-\nrelated information among bureaus. Included on the CSS are representatives from the OCIO and bureau\nCIO organizations.\n\n\n\n\n                                                                                                  Page 6\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\nOVERALL EVALUATION RESULTS\n\nConsistent with applicable FISMA requirements, OMB policy, and NIST guidelines, the Treasury has\nestablished an information security program and related practices for its non-IRS bureaus\xe2\x80\x99 unclassified\nsystems. This program covers the 11 FISMA program areas: continuous monitoring management,\nconfiguration management, identity and access management, incident and response reporting, risk\nmanagement, security training, plan of action and milestones, remote access management, contingency\nplanning, contractor systems, and security capital planning. 2 However, while the security program has\nbeen implemented across the Treasury for its non-IRS bureaus, we identified needed improvements in 5\nof 11 FISMA program areas. We have made 11 recommendations related to these control deficiencies\nthat, if effectively addressed by management, should strengthen the respective bureaus, offices, and the\nTreasury\xe2\x80\x99s information security program. The Findings section of this report presents the detailed\nfindings and associated recommendations. In a written response to this report, the Treasury CIO agreed\nwith our findings and recommendations and provided corrective action plans (see Management\nResponse). Treasury\xe2\x80\x99s planned corrective actions are responsive to the intent of our recommendations.\n\nAdditionally, we evaluated all prior-year findings from the fiscal year (FY) 2012 and 2011 FISMA\nPerformance Audits and noted that management had closed 33 of 40 findings. For 2 of the 40 findings,\nwe were unable to test the corrective actions by our end of fieldwork date, June 30, 2013. For these\nfindings, we noted they were closed by Treasury but untested by KPMG and should be evaluated as part\nof the FY 2014 independent evaluation. See Appendix II, Status of Prior-Year Findings, for additional\ndetails.\n\n\n\n\n2\n  TIGTA will provide a separate report evaluating the IRS\xe2\x80\x99s implementation of the Department of the Treasury\xe2\x80\x99s information\nsecurity program.\n\n\n\n\n                                                                                                                       Page 7\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\nFINDINGS\n\n1. Logical account management activities were not in place or not consistently performed\n   by DO, Mint, and TIGTA\n\n    We identified instances of noncompliance with logical access policies at DO, Mint, and TIGTA. We\n    noted the following:\n\n         1. Account management activities were not consistently performed as required by TD P 85-01\n            Volume I, Treasury Information Technology Security Program, and bureau-specific policies\n            at DO and Mint.\n            \xe2\x80\xa2 For a selected DO system, management was unable to provide us with user access\n                agreements for 4 of the 25 selected active administrator accounts assigned to contractor\n                personnel. In addition, DO management was unable to secure from the system vendor\n                sufficient supporting documentation evidencing the administrators\xe2\x80\x99 account creation\n                dates. At the beginning of a new contract, management gave verbal approval to authorize\n                the initial contractors. Later, when the on-boarding process was formalized, it did not\n                include validation of all contractors who received the initial verbal authorization. Without\n                account creation dates, we could not verify that four accounts for which no formal\n                authorization was recorded were created before the on-boarding process was finalized. As\n                a result, there was insufficient evidence that user account authorization was in place and\n                operating effectively. (See Recommendations #1 and #2.)\n            \xe2\x80\xa2 For a selected Mint system, Mint management did not formally document and maintain\n                access request forms for 2 of 11 new user accounts. One of these two users was a system\n                administrator who did not have any documentation of authorization. We noted the defined\n                procedure for approving new users for the selected system lacked the creation and proper\n                retention of new user access request forms, per policy. (See Recommendations #3 and #4.)\n\n         2. For a selected TIGTA system, TIGTA management was unable to provide a system-generated\n            list showing last login dates and times. In addition, we were unable to obtain evidence of user\n            authorization forms for the system. As a result, there was no evidence that user account\n            management was in place and operating effectively. It was noted that this was a self-reported\n            finding and was listed as a POA&M within the Trusted Agent FISMA (TAF) system with an\n            estimated completion date of January 31, 2014.\n\n    These control deficiencies demonstrate that these bureaus did not appropriately implement policies\n    for approving and reviewing user access and following NIST\xe2\x80\x99s concept of least privilege. 3\n\n    By failing to retain evidence of all user and administrator accounts approvals, there is an increased\n    risk that users could have unauthorized access and/or modify production data on their respective\n    systems or the network.\n\n    We recommend that DO management:\n\n         1. For the selected system, implement a process or mechanism to track the administrators\xe2\x80\x99\n            account information, including account creation date.\n\n3\n  The NIST SP 800-53, Rev. 3, defines least privilege as allowing only authorized accesses for users (and processes acting on\nbehalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business\nfunctions.\n\n\n\n\n                                                                                                                          Page 8\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\n\n       2. For the selected system, ensure that all users are authorized and maintain evidence of the\n          authorization of users.\n\n   We recommend that Mint management:\n\n       3. For the selected system, update the process for approving users to the system to ensure that\n          there is appropriate creation and preservation of user access authorization to this system. The\n          system security plan (SSP) should also be updated to reflect the new process.\n\n       4. For the selected system, reapprove all existing users under the new process to ensure their\n          access is appropriate.\n\n   Based on the planned corrective actions for TIGTA, we are not making additional recommendations.\n\n2. Security incidents were not reported correctly at Fiscal Service and OIG\n\n   Treasury bureaus are required to submit all security incidents to the TCSIRC within specified time\n   frames categorized by incident severity. The evaluation identified that Fiscal Service reported\n   incidents later than United States Computer Emergency Readiness Team (US-CERT) and Treasury\n   recommended guidelines. We also noted that OIG reported Category (CAT) 1 incidents incorrectly as\n   CAT 4 incidents. Specifically, we noted the following:\n\n       \xe2\x80\xa2   Fiscal Service reported 3 of 15 CAT 1 incidents outside of the US-CERT guidance of one\n           hour. Two of the incidents were reported 85 to 111 minutes after initial identification. One of\n           the incidents was reported 21 hours after the initial identification. Fiscal Service management\n           explained the assessment process for an incident can sometimes exceed the 1-hour timeframe\n           required for a CAT 1 incidents, although management is actively working the incident.\n           Management plans to revise their current procedure to account for incidents that may require\n           additional time for research and analysis. (See Recommendations #5 and #6.)\n       \xe2\x80\xa2   OIG incorrectly reported 2 of 8 CAT 1 incidents as CAT 4 incidents. Both incidents were\n           reported in the required 1-hour deadline for a CAT 1 incident. OIG management was\n           categorizing incidents based on an older Treasury policy dated 2008 that did not provide\n           examples of the types of incidents that fall into each category. They were not aware of the\n           newer Treasury policy dated 2011 that has specific examples of the types of incidents for\n           each category. (See Recommendation #7.)\n\n   By not reporting security incidents in a timely manner and under the correct categorization, these\n   bureaus increase the risk of unauthorized access, or denial of service attacks, posed to their\n   information system while the incident remains unreported. Additionally, by not reporting incidents\n   correctly, the bureaus can impair the TCSIRC\xe2\x80\x99s and the US-CERT\xe2\x80\x99s ability to track, analyze, and act\n   on aggregated incident data within prescribed timeframes.\n\n   We recommend that Fiscal Service management:\n\n       5. Update Bureau of the Fiscal Service Incident Handling and Response Standard Operating\n          Procedures to account for the additional processes performed by the Enterprise Security\n          Services \xe2\x80\x93 Security Divisions.\n\n\n\n\n                                                                                                    Page 9\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\n       6. Ensure that Fiscal Service Security reports all CAT 1 incidents to TCSIRC in compliance\n          with their revised standard operating procedures. In addition, provide additional training to\n          the Incident Responder team once the incident response standard operating procedures are\n          revised.\n\n   We recommend that OIG management:\n\n       7. Ensure that OIG\xe2\x80\x99s CSIRC categorizes incidents based on guidelines set forth in the most\n          recent Treasury policy and provides training to staff regarding this new Treasury Policy.\n\n\n3. FinCEN and Fiscal Service did not follow NIST guidance for SSPs\n\n   NIST and Treasury guidance require that Treasury SSPs remain up-to-date and current with the NIST\n   Risk Management Framework and require NIST Special Publication (SP) 800-53, Revision (Rev.) 3,\n   security controls. Specifically, we noted that:\n\n   \xe2\x80\xa2   FinCEN\xe2\x80\x99s SSP for the selected system did not follow NIST SP 800-53, Rev. 3, guidance on\n       required controls for HIGH categorized systems. Specifically, publicly assessable content (AC-\n       22), non-repudiation (AU-10), incident response (IR-8), and information system partitioning (SC-\n       32) were not addressed in the SSP. FinCEN management did not perform an adequate review of\n       the SSP and overlooked the lack of these controls when updating the SSP. (See Recommendations\n       #8 and #9.)\n   \xe2\x80\xa2   Fiscal Service\xe2\x80\x99s SSP for the selected system was last updated in November 2011 and had not\n       been reviewed annually as required by the Fiscal Service guidelines. Fiscal Service management\n       decided not to update a selected system SSP in FY13 as the system was scheduled for annual\n       security assessment with completion projected in mid-December 2013 and the SSP would be\n       updated at that time. (See Recommendation #10.)\n\n   Failing to document an up-to-date baseline of security controls may have a negative effect on\n   subsequent security activities. Specifically, FinCEN and Fiscal Service may not be able to implement,\n   assess, authorize, and monitor the security controls properly for the selected systems; therefore, the\n   system security controls may not be sufficient to protect the confidentiality, integrity, and availability\n   of sensitive bureau information.\n\n   We recommend that FinCEN management:\n\n       8. Update the system SSP to address and reference the outstanding NIST SP 800-53 Rev. 3\n          controls and control enhancements for a HIGH baseline.\n\n       9. Conduct thorough reviews of the system SSP annually to ensure that it includes applicable\n          NIST SP 800-53 Rev. 3 controls.\n\n   We recommend that Fiscal Service management:\n\n       10. Ensure that subsequent to the selected system\xe2\x80\x99s security assessment, the SSP should undergo\n           annual reviews.\n\n\n\n\n                                                                                                      Page 10\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\n4. Contingency planning and testing controls were not fully implemented or operating as\n   designed at TIGTA\n\n   The TD P 85-01 requires Treasury bureaus to protect their information systems in the event of a\n   disaster. Bureaus must create plans for system recovery and test these plans. TIGTA did not fully\n   implement contingency planning (planning and testing) controls as required by TD P 85-01 Volume I,\n   NIST SP 800-53, Rev. 3, and NIST SP 800-34 guidance. While these controls do not affect normal,\n   daily operations, they are invaluable in quickly recovering the system from a disaster or service\n   interruption. Contingency plan documentation for a selected TIGTA system was not finalized within\n   the FISMA year. This was a self-reported finding and documented within TIGTA\xe2\x80\x99s POA&M report\n   on TAF, with an estimated completion date of December 31, 2013.\n\n   Contingency plans and contingency plan testing, as required by NIST SP 800-53, Rev. 3., and NIST\n   SP 800-34, are paramount in assuring that TIGTA information systems can remain operational with\n   the least amount of downtime possible in emergencies. Failure to appropriately test recovery\n   capabilities could result in the unavailability of critical TIGTA information and information systems\n   in the event of a disaster.\n\n   Based on the planned corrective actions for TIGTA, we are not making a recommendation.\n\n\n5. Evidence of successful completion of annual security awareness training was not\n   retained for some users at OIG\n\n   NIST standards and the TD P 85-01 requires that all users complete IT Security Awareness Training\n   on an annual basis. Additionally, department guidance requires that individual training records are\n   retained for a period of five years. OIG management did not maintain evidence of the successful\n   completion of security awareness training by their users. OIG management was unable to provide\n   evidence of successful security awareness training completion for 4 of the 25 users selected for\n   testing. OIG management reported that users verbally reported completion of the training using the\n   Treasury Learning Management System (TLMS); however, the system did not record their successful\n   submission. In addition, management does not require users to retain copies of their security\n   certificates to show evidence of completion. (See Recommendation #11.)\n\n   Annual security awareness training, as required by TD P 85-01, is essential to verify that users have\n   been made aware of system or application rules, their responsibilities, and their expected behavior.\n   Without the ability to verify that security awareness training is being completed by every employee,\n   management cannot ensure that employees are properly aware of the systems or application rules,\n   their responsibilities, and their expected behavior, thereby not adequately protecting IT resources and\n   data from being compromised.\n\n   We recommend that OIG management:\n\n       11. Implement processes or mechanisms to ensure that users complete the annual security\n           awareness training and that the records of users\xe2\x80\x99 successful completion of this training is\n           retained.\n\n\n\n\n                                                                                                   Page 11\n\x0cThe Department of the Treasury FISMA Evaluation - 2013\n\nMANAGEMENT RESPONSE TO THE REPORT\n\nThe following is the Treasury CIO\xe2\x80\x99s response, dated October 29, 2013, to the FY 2013 FISMA\nEvaluation Report.\n\n\n\n\n                                                                                    Page 12\n\x0c\x0c\x0cThe Department of the Treasury FISMA Evaluation \xe2\x80\x93 2013\n\n                         Management Response to KPMG Recommendations\n\n\nKPMG Finding 1: Logical account management activities were not in place or not consistently\nperformed by DO, Mint, and TIGTA\n\nKPMG Recommendation 1: For DO, we recommend that management: For the selected system,\nimplement a process or mechanism to track the administrators\xe2\x80\x99 account information, including account\ncreation date.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. The process for\n        granting administrative privileges was instituted in April 2013 to ensure all vendor access has\n        been authorized in the form of a background investigation. A collaborative workspace was stood\n        up to increase visibility of the vendor account management process and includes artifacts to\n        support submission and successful adjudication of a background investigation, which leads to\n        account creation and is tracked with a date on the vendor system. Target Completion: April 7,\n        2013\n\n        Responsible Official: Departmental Offices, Information Owner (IO) for the selected system.\n\nKPMG Recommendation 2: For DO, we recommend that management: For the selected system, ensure\nthat all users are authorized and maintain evidence of the authorization of users.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. DO will establish\n        annual reviews of user accounts to ensure that all users are authorized. The IO will maintain\n        evidence of the authorization of all users. Target Completion: April 7, 2014\n\n        Responsible Official: Departmental Offices, IO for the selected system.\n\nKPMG Recommendation 3: For Mint, we recommend that management: For the selected system,\nupdate the process for approving users to the system to ensure that there is appropriate creation and\npreservation of user access authorization to this system. The system security plan (SSP) should also be\nupdated to reflect the new process.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. Mint has instituted\n        development of new Standard Operating Procedures that outline the approval process for\n        approving users\xe2\x80\x99 access to the system, management and disposition of user access authorization,\n        and periodic review of procedures. System documentation will be updated to reflect new\n        processes. Target Completion: January 15, 2014\n\n        Responsible Official: Mint, Chief Information Security Officer\n\nKPMG Recommendation 4: For Mint, we recommend that management: For the selected system,\nreapprove all existing users under the new process to ensure their access is appropriate.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. Validation for all\n        existing users\xe2\x80\x99 access will occur using the new processes being developed by the Mint. This will\n        ensure the creation and preservation of user access, determination that users have appropriate\n        access, and completion of updates to system documentation to reflect new processes is addressed\n        in a timely manner. Target Completion: January 15, 2014\n\n\n                                                                                                    Page 15\n\x0cThe Department of the Treasury FISMA Evaluation \xe2\x80\x93 2013\n\n        Responsible Official: Mint, Chief Information Security Officer\n\nKPMG: Based on the planned corrective actions for TIGTA, we are not making additional\nrecommendations.\n\nKPMG Finding 2: Security incidents were not reported correctly at Fiscal Service and OIG\n\nKPMG Recommendation 5: For Fiscal Service, we recommend that management: Update Bureau of the\nFiscal Service Incident Handling and Response Standard Operating Procedures to account for the\nadditional processes performed by the Enterprise Security Services \xe2\x80\x93 Security Divisions.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. Fiscal Service will\nupdate its Incident Handling and Response Standard Operating Procedures to account for the additional\nprocesses performed by the Enterprise Security Services \xe2\x80\x93 Security Divisions. Target Completion: May\n30, 2014\n\n        Responsible Official: Fiscal Service, Chief Information Officer\n\nKPMG Recommendation 6: For Fiscal Service, we recommend that management: Ensure that Fiscal\nService Security reports all CAT 1 incidents to TCSIRC [the Treasury Cyber Security Incident Response\nCenter] in compliance with their revised standard operating procedures. In addition, provide additional\ntraining to the Incident Responder team once the incident response standard operating procedures are\nrevised.\n\n         Treasury Response: Treasury agrees with the finding and recommendation. Fiscal Service will\nensure that all CAT 1 incidents are reported to TCSIRC in compliance with revised standard operating\nprocedures. In addition, the Bureau will provide additional training to the Incident Responder team once\nthe incident response standard operating procedures are revised. Target Completion: May 30, 2014\n\n        Responsible Official: Fiscal Service, Chief Information Officer\n\nKPMG Recommendation 7: For OIG, we recommend that management: Ensure that OIG\xe2\x80\x99s CSIRC\ncategorizes incidents based on guidelines set forth in the most recent Treasury policy and provides\ntraining to staff regarding this new Treasury Policy.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. OIG has ensured\n        that its staff is aware of the current Treasury Policy regarding the proper categorizing of\n        incidents. Completed: September 30, 2013\n\n        Responsible Official: OIG, Director of Information Technology\n\nKPMG Finding 3: FinCEN and Fiscal Service did not follow NIST guidance for SSPs\n\nKPMG Recommendation 8: For FinCEN, we recommend that management: Update the system SSP to\naddress and reference the outstanding NIST SP 800-53 Rev. 3 controls and control enhancements for a\nHIGH baseline.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. FinCEN will update\n        the SSP document with the missing controls. Target Completion: November 30, 2013\n\n\n\n                                                                                                  Page 16\n\x0cThe Department of the Treasury FISMA Evaluation \xe2\x80\x93 2013\n        Responsible Official: FinCEN, Chief Information Security Officer\n\nKPMG Recommendation 9: For FinCEN, we recommend that management: Conduct thorough reviews\nof the system SSP annually to ensure that it includes applicable NIST SP 800-53 Rev. 3 controls.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. FinCEN will\n        review system security plans annually to ensure applicable NIST SP 800-53 Rev. 3 controls are\n        included. Target Completion: November 30, 2013\n\n        Responsible Official: FinCEN, Chief Information Security Officer\n\nKPMG Recommendation 10: For Fiscal Service, we recommend that management: Ensure that\nsubsequent to the selected system\xe2\x80\x99s security assessment, the SSP should undergo annual reviews.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. Fiscal Service will\n        ensure that, subsequent to the selected system\xe2\x80\x99s security assessment, the SSP will undergo annual\n        reviews. Target Completion: September 30, 2014\n\n        Responsible Official: Fiscal Service, Chief Information Officer\n\nKPMG Finding 4: Contingency planning and testing controls were not fully implemented or\noperating as designed at TIGTA\n\nKPMG: Based on the planned corrective actions for TIGTA, we are not making a recommendation.\n\nKPMG Finding 5: Evidence of successful completion of annual security awareness training was not\nretained for some users at OIG\n\nKPMG Recommendation 11: For OIG, we recommend that management: Implement processes or\nmechanisms to ensure that users complete the annual security awareness training and that the records of\nusers\xe2\x80\x99 successful completion of this training are retained.\n\n        Treasury Response: Treasury agrees with the finding and recommendation. OIG will ensure\n        successful completions of annual security awareness training by requiring that employees provide\n        a copy of the completed training certificate to supplement the reports provided by the Treasury\n        Learning Management System (TLMS). Target Completion: June 1, 2014\n\n        Responsible Official: OIG, Director of Information Technology\n\n\n\n\n                                                                                                   Page 17\n\x0cObjective, Scope, and Methodology                                                               Appendix I\nAPPENDIX I \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY\nThe objectives for this Federal Information Security Management Act (FISMA) evaluation was to\nconduct an independent evaluation of the information security program and practices of Department of\nthe Treasury (Treasury) to assess the effectiveness of such programs and practice for the year ending June\n30, 2013 as they relate to non-Internal Revenue Service (IRS) information systems. Specifically, the\nobjectives of this evaluation are to:\n       \xe2\x80\xa2   Perform the annual independent FISMA evaluation of the Treasury\xe2\x80\x99s information security\n           programs and practices.\n       \xe2\x80\xa2   Respond to Department of Homeland Security (DHS) FISMA Questions on behalf of the\n           Treasury Office of Inspector General (OIG).\n       \xe2\x80\xa2   Follow up on the status of prior-year FISMA findings.\n\nWe conducted our independent evaluation in accordance with the Council of the Inspectors General on\nIntegrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection and Evaluation.\n\nTo accomplish our objectives, we evaluated security controls in accordance with applicable legislation,\nPresidential directives, and the DHS FY 2013 Inspector General Federal Information Security\nManagement Act Reporting Metrics, dated November 30, 2012. We reviewed the Treasury information\nsecurity program for a program-level perspective and then examined how each bureau complied with the\nimplementation of these policies and procedures.\n\nWe took a phased approach to satisfy the evaluation\xe2\x80\x99s objective as listed below:\n\n       PHASE A: Assessment of Department-Level Compliance\n\n       To gain an enterprise-level understanding, we assessed management, policies, and guidance for the\n       overall Treasury-wide information security program per requirements defined in FISMA and DHS FY\n       2013 Inspector General Federal Information Security Management Act Reporting Metrics, as well as\n       Treasury guidelines developed in response to FISMA. This included program controls applicable to\n       information security governance, certification and accreditation, security configuration management,\n       incident response and reporting, security training, plan of action and milestones, remote access,\n       account and identity management, continuous monitoring, contingency planning, and contractor\n       systems.\n\n       PHASE B: Assessment of Bureau-Level Compliance\n\n       To gain a bureau-level understanding, we assessed the implementation of the guidance for the 114\n       bureau- and office-wide information security programs according to requirements defined in FISMA\n       and DHS FY 2013 Inspector General Federal Information Security Management Act Reporting\n       Metrics, as well as Treasury guidelines developed in response to FISMA. This included program\n       controls applicable to information security governance, certification and accreditation, security\n       configuration management, incident response and reporting, security training, plan of action and\n       milestones, remote access, account and identity management, continuous monitoring, contingency\n       planning, and contractor systems.\n\n       PHASE C: System Level (Limited)\n\n4\n    TIGTA assessed IRS\xe2\x80\x99s bureau-level compliance.\n\n\n\n\n                                                                                                    Page 18\n\x0cObjective, Scope, and Methodology                                                                              Appendix I\n\n    To gain an understanding of how effectively the bureaus implemented information security controls at\n    the system level, we assessed the implementation of a limited selection of security controls from the\n    National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision\n    (Rev.) 3, for a subset of Treasury information systems (see Appendix IV).\n\nWe also tested a subset of 15 information systems from a total population of 113 non-IRS major\napplications and general support systems as of May 16, 2013. 5 We tested the 15 information systems to\nassess whether bureaus were effective in implementing the Treasury\xe2\x80\x99s security program and meeting the\nFederal Information Processing Standards (FIPS) 200 minimum-security standards to protect information\nand information systems. Appendix IV, Approach to Selection of Subset of Systems, provides additional\ndetails regarding our system selection. The subset of systems encompassed systems managed and\noperated by 10 of 12 Treasury bureaus, excluding IRS and the Community Development Financial\nInstitutions (CDFI) Fund. 6\n\nWe based our criteria for selecting security controls within each system on the following:\n\n    \xe2\x80\xa2      Controls that were shared across a number of information systems, such as common controls,\n    \xe2\x80\xa2      Controls that were likely to change over time (i.e., volatility) and require human intervention, and\n    \xe2\x80\xa2      Controls that were identified in prior audits as requiring management\xe2\x80\x99s attention.\n\nOther Considerations\n\nIn performing our control evaluations, we interviewed key Treasury Office of the Chief Information\nOfficer (OCIO) personnel who had significant information security responsibilities, as well as personnel\nacross the non-IRS bureaus. We also evaluated the Treasury\xe2\x80\x99s and bureaus\xe2\x80\x99 policies, procedures, and\nguidelines. Lastly, we evaluated selected security-related documents and records, including certification\nand accreditation (C&A) packages, configuration assessment results, and training records.\n\nWe performed our fieldwork at the Treasury\xe2\x80\x99s headquarters offices in Washington, D.C., and bureau\nlocations in Washington, D.C.; Hyattsville, Maryland; and Vienna, Virginia, during the period of April\n22, 2013 through July 31, 2013. During our evaluation, we met with Treasury management to discuss our\npreliminary conclusions.\n\nCriteria\n\nWe focused our FISMA evaluation approach on federal information security guidance developed by\nNIST and Office of Management and Budget (OMB). NIST Special Publications provide guidelines that\nare considered essential to the development and implementation of agencies\xe2\x80\x99 security programs. 7 The\n\n\n5\n  A subset of information systems refers to our approach of stratifying the population of non-IRS Department of the Treasury\ninformation system and selecting an information system from each Department of the Treasury bureau, excluding IRS and CDFI\nFund, rather than selecting a random sample of information systems that might exclude a Treasury bureau.\n6\n  Our rotational system selection strategy precludes selecting systems reviewed within the past two years. In FY 2012 and FY\n2011, both of CDFI Fund\xe2\x80\x99s only two systems were selected. Therefore, and in accordance with the OIG\xe2\x80\x99s instruction, we\nexcluded that bureau\xe2\x80\x99s systems from our sample selection in FY 2013.\n7\n  Note (per FY 2013 Inspector General Federal Information Security Management Act Reporting Metrics): While agencies are\nrequired to follow NIST standards and guidance in accordance with OMB policy, there is flexibility within NIST\xe2\x80\x99s guidance\ndocuments in how agencies apply the guidance. However, NIST Special Publication 800-53 is mandatory because FIPS 200\nspecifically requires it. Unless specified by additional implementing policy by OMB, guidance documents published by NIST\n\n\n\n\n                                                                                                                    Page 19\n\x0cObjective, Scope, and Methodology                                                                                 Appendix I\nfollowing is a listing of the criteria used in the performance of the fiscal year (FY) 2013 FISMA\nevaluation:\n\nNIST FIPS and/or Special Publications\n\n    \xe2\x80\xa2    NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and\n         Information Systems\n    \xe2\x80\xa2    NIST FIPS Publication 200, Minimum Security Requirements for Federal Information and\n         Information Systems\n    \xe2\x80\xa2    NIST SP 800-16, Information Technology Security Training Requirements: A Role- and\n         Performance- Based Model\n    \xe2\x80\xa2    NIST SP 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems\n    \xe2\x80\xa2    NIST SP 800-30, Risk Management Guide for Information Technology Systems\n    \xe2\x80\xa2    NIST SP 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems\n    \xe2\x80\xa2    NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal\n         Information Systems: A Security Life Cycle Approach\n    \xe2\x80\xa2    NIST SP 800-39, Managing Risk from Information Systems: An Organizational, Mission and\n         Information System View\n    \xe2\x80\xa2    NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems and\n         Organizations\n    \xe2\x80\xa2    NIST SP 800-53A, Rev. 1, Guide for Assessing the Security Controls in Federal Information\n         Systems and Organizations\n    \xe2\x80\xa2    NIST SP 800-60, Rev. 1, Guide for Mapping Types of Information and Information Systems to\n         Security Categories\n    \xe2\x80\xa2    NIST SP 800-61, Rev. 1, Computer Security Incident Handling Guide\n    \xe2\x80\xa2    NIST SP 800-70, Rev. 2, National Checklist Program for IT Products: Guidelines for Checklist\n         Users and Developers\n\nOMB Policy Directives\n\n    \xe2\x80\xa2    OMB Circular A-130, Management of Federal Information Resources\n    \xe2\x80\xa2    OMB Memorandum 04-25, FY 2004 Reporting Instructions for the Federal Information Security\n         Management Act\n    \xe2\x80\xa2    OMB Memorandum 05-24, Implementation of Homeland Security Presidential Directive (HSPD)\n         12 \xe2\x80\x93 Policy for a Common Identification Standard for Federal Employees and Contractors\n    \xe2\x80\xa2    OMB Memorandum 07-11, Implementation of Commonly Accepted Security Configurations for\n         Windows Operating Systems\n    \xe2\x80\xa2    OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally\n         Identifiable Information\n    \xe2\x80\xa2    OMB Memorandum 07-18, Ensuring New Acquisitions Include Common Security Configurations\n\nUnited States Department of Homeland Security\n\n    \xe2\x80\xa2    DHS FY 2013 Inspector General Federal Information Security Management Act Reporting\n         Metrics\n\n\ngenerally allow agencies latitude in their application. Consequently, the application of NIST guidance by agencies can result in\ndifferent security solutions that are equally acceptable and compliant with the guidance.\n\n\n\n\n                                                                                                                        Page 20\n\x0cObjective, Scope, and Methodology                                                         Appendix I\nTreasury Policy Directives\n\n   \xe2\x80\xa2   Treasury Directive Publication (TD P) 15-71, Department of the Treasury Security Manual\n   \xe2\x80\xa2   TD P 85-01, Volume I, Treasury Information Technology Security Program\n\n\n\n\n                                                                                                 Page 21\n\x0cStatus of Prior-year Findings                                                                                                                            Appendix II\nAPPENDIX II \xe2\x80\x93 STATUS OF PRIOR-YEAR FINDINGS\n\nIn FY 2013, we conducted a FISMA Evaluation versus a FISMA Performance Audit, which were conducted in FY 2012 and FY 2011. As part of\nthis year\xe2\x80\x99s FISMA Evaluation we followed up on the status of the prior year findings. For the following prior-year performance audit findings, we\nevaluated the information systems to determine whether the recommendations have been implemented and whether the findings are closed. We\ninquired of Department of the Treasury (Treasury) personnel and inspected evidence to determine the status of the findings. If recommendations\nwere determined to be implemented, we closed the findings. If recommendations were determined to be only partially implemented or not\nimplemented at all, we determined the finding to be open. For 2 of the 40 findings, we were unable to test the corrective actions by our end of\nfieldwork date, June 30, 2013. For these findings, we noted that they were closed but untested and should be evaluated as part of the FY 2014\nindependent evaluation.\n\nPrior Year Findings \xe2\x80\x93 2012 Performance Audit\n\n\n          Finding #                           Prior-Year Condition                               Recommendation(s)                                 Status\nPrior Year FY 2012                For the two selected BPD systems, BPD              We recommend that BPD management:                 Implemented/Untested\nFinding #1 \xe2\x80\x93 Bureau of the        management could not provide sufficient\nPublic Debt (BPD)                 supporting documentation evidencing the            1   For both selected systems, develop or         FMS and BPD consolidated\n                                  users\xe2\x80\x99 last log-on date or time. As a result, we       acquire additional system capability that     into one organization, Fiscal\nLogical account management        were unable to test the operating effectiveness        generates user lists with last log-on dates   Service, in October 2012.\nactivities were not in place or   of the controls over whether inactive users are        so that inactive users are automatically      Fiscal Service reports that it\nnot consistently performed.       disabled.                                              disabled in a timely manner.                  implemented automated\n                                                                                     2   For both selected systems, in the absence     emails that run on a daily\n                                                                                         of a long-term system capability solution,    basis to show users\xe2\x80\x99 last log-\n                                                                                         perform manual monthly reviews of all         on dates for the two selected\n                                                                                         system user accounts and disable or delete    systems. However, Fiscal\n                                                                                         accounts that no longer need access.          Service did not complete the\n                                                                                                                                       corrective actions until June\n                                                                                                                                       2013. Therefore, we were\n                                                                                                                                       unable to test the\n                                                                                                                                       effectiveness. The finding will\n                                                                                                                                       be tested as part of the FY\n                                                                                                                                       2014 FISMA evaluation.\n\n\n\n\n                                                                                                                                                               Page 22\n\x0cStatus of Prior-year Findings                                                                                                                         Appendix II\n\n          Finding #                          Prior-Year Condition                              Recommendation(s)                                Status\nPrior Year FY 2012                TTB had three active user accounts that should   We recommend that TTB management:                Implemented/Closed\nFinding #1 \xe2\x80\x93 Bureau of            have had access revoked. One account, a test\nAlcohol and Tobacco Tax           account, had last logged in on March 22, 2012    1   Implement an automated mechanism, a          TTB has implemented an\nand Trade Bureau (TTB)            and the account was not deactivated after 60         script, or manual review process to ensure   automated script that runs on a\n                                  days of inactivity. Another account was for an       inactive accounts are disabled after 60      weekly basis. Accounts that\nLogical account management        individual who had separated in July 2011 but        days of inactivity.                          are 60 days inactive are\nactivities were not in place or   still had an enabled account. Additionally,      2   Ensure that supervisors are aware of their   automatically disabled. In\nnot consistently performed.       there was a separated individual whose               responsibilities to remove the access of     addition, a notice was sent out\n                                  account was still active 20 days after her           separated employees.                         to all supervisory staff and\n                                  departure. TTB management explained that it                                                       Contract Officer\n                                  did not have an automated mechanism to                                                            Representatives (CORs)\n                                  disable inactive accounts due to a technical                                                      detailing their responsibility\n                                  limitation; therefore, some user accounts were                                                    for completing the \xe2\x80\x9cDelete All\n                                  not properly disabled in a timely manner.                                                         Access\xe2\x80\x9d process for departing\n                                  Additionally, TTB stated that access removal                                                      staff members.\n                                  for separated employees was a manual process\n                                  by each employee\xe2\x80\x99s supervisor and that human\n                                  error occurred.\nPrior Year FY 2012                For a selected DO system, DO management          We recommend that DO management include          Implemented/Closed\nFinding #1 \xe2\x80\x93Departmental          did not formally document and maintain           the corrective action plans from the selected\nOffice (DO)                       access request forms for privileged user         system\xe2\x80\x99s continuous monitoring report into a     We noted that a POA&M item\n                                  accounts. This was self-discovered during the    POA&M item.                                      was added for the selected\nLogical account management        systems continuous monitoring test performed                                                      system, which cross-\nactivities were not in place or   in June 2012. While there was a documented                                                        referenced the corrective\nnot consistently performed.       corrective action plan in the continuous                                                          action plans from the\n                                  monitoring report, there was not an updated                                                       continuous monitoring report.\n                                  POA&M item during the FISMA year.\n\n\n\n\n                                                                                                                                                           Page 23\n\x0cStatus of Prior-year Findings                                                                                                                       Appendix II\n\n          Finding #                           Prior-Year Condition                               Recommendation(s)                            Status\nPrior Year FY 2012                OCC did not incorporate all general support        Based on the planned corrective actions for   Implemented/Closed\nFinding #1 \xe2\x80\x93Office of             system user accounts of Office of Thrift           OCC, we are not making additional\nComptroller of the Currency       Supervision (OTS), the bureau that OCC             recommendations.                              We noted all old OTS\n(OCC)                             partially took over last year, as part of its                                                    accounts have been changed to\n                                  access review process. When OTS migrated to                                                      OCC accounts.\nLogical account management        OCC, most of the accounts were changed from\nactivities were not in place or   OTS accounts to OCC accounts. Fourteen\nnot consistently performed.       users were not transferred over. OCC noticed\n                                  this when they did their account review and\n                                  created a POA&M to remediate it. This was a\n                                  self-reported finding and documented within\n                                  OCC\xe2\x80\x99s POA&M report in the Trusted Agent\n                                  FISMA (TAF) system and scheduled to be\n                                  corrected on July 31, 2012.\nPrior Year FY 2012                A selected FinCEN system had a user account        Based on the planned corrective actions for   Implemented/Closed\nFinding #1 \xe2\x80\x93Financial             on the database that had unnecessary access        FinCEN, we are not making additional\nCrimes Enforcement                permissions. We noted this was due to              recommendations.                              The SSP for the selected\nNetwork (FinCEN)                  database accounts not being sufficiently                                                         system, dated June 2013,\n                                  reviewed for access privileges. This was a self-                                                 states that POA&M has been\nLogical account management        identified weakness as a result of FinCEN\xe2\x80\x99s                                                      closed. User accounts on the\nactivities were not in place or   security assessment and authorization and                                                        database are reviewed for\nnot consistently performed.       scheduled to be corrected on January 14, 2013.                                                   unnecessary access privileges\n                                                                                                                                   on a regular basis.\n\n\n\n\n                                                                                                                                                          Page 24\n\x0cStatus of Prior-year Findings                                                                                                                       Appendix II\n\n         Finding #                         Prior-Year Condition                             Recommendation(s)                                 Status\nPrior Year FY 2012           BEP did not report 3 of the 15 sampled             We recommend that BEP management:                 Implemented/Closed\nFinding #2 - Bureau of       security incidents to TCSIRC within the one-\nEngraving & Printing (BEP) hour time period required for a CAT 1                1   Revise the current Incident Response          Policies, procedures and\n                             incident. Specifically, one incident was               reporting process and written procedures      training materials have been\nSecurity incidents were not  reported 50 minutes late, one incident was             to have the Help Desk send all incidents to   updated to document and train\nreported in a timely manner. reported 65 minutes late, and another incident         the CSIRC group as opposed to the BEP         Help Desk staff on the new\n                             was not reported until seven days after                Incident Coordinator.                         process for reporting security\n                             identification. BEP Help Desk reports              2   Provide additional training to the Help       incidents. When a ticket is\n                             incidents to the designated BEP Incident               Desk team members regarding BEP\xe2\x80\x99s             created for a CAT 1 incident,\n                             Coordinator, who then forwards the reported            incident response policies and procedures     the system automatically\n                             incident to the BEP CSIRC Management                   to ensure they are consistently               notifies the BEP CSIRC and\n                             Team. This two-step process caused delays              implemented. Additional training for Help     the TCSIRC of the incidents.\n                             with the submission of the security incident to        Desk personnel should include the same        In addition, every member\n                             TCSIRC within BEP\xe2\x80\x99s documented time                    curriculum used by BEP CSIRC                  who was noted in the CSIRC\n                             frames. Additionally, not all Help Desk                management team members to allow for          training attendance sheet\n                             members had been fully trained to respond to           better understanding of the incident          attended the required BEP\n                             security incidents and properly report them to         reporting process.                            CSIRC training.\n                             the BEP CSIRC Management Team.\nPrior Year FY 2012           BPD did not report one out of three security       We recommend that BPD management:                 Reissued/Closed\nFinding #2 - Bureau of the   incidents within the required one-hour time\nPublic Debt (BPD)            period for a CAT 1 incident (the incident took     1   Ensure that BPD\xe2\x80\x99s CSIRC report all CAT        FMS and BPD consolidated\n                             14 hours to report). The delay was caused by           1 incidents to US-CERT within one hour        into one organization, Fiscal\nSecurity incidents were not  BPD\xe2\x80\x99s reliance on United Parcel Service                regardless of any additional procedures       Service, in October 2012. As a\nreported in a timely manner. (UPS) to verify the status of a missing                (follow- up, confirmation, or additional      result of this consolidation, we\n                             package.                                               feedback from third party) performed by       closed this prior year finding\n                                                                                    CSIRC personnel.                              and created a new security\n                                BPD followed UPS\xe2\x80\x99s advice and waited until      2   Provide additional training to the BPD\xe2\x80\x99s      incident finding specific to\n                                the following day when the next UPS delivery        CSIRC management team regarding               Fiscal Service.\n                                was made to ensure that the package was truly       BPD\xe2\x80\x99s incident response policies and\n                                lost.                                               procedures to ensure that all incidents are\n                                                                                    reported in time regardless of reliance on\n                                                                                    third parties to confirm incident\n\n\n\n\n                                                                                                                                                          Page 25\n\x0cStatus of Prior-year Findings                                                                                                                      Appendix II\n\n          Finding #                         Prior-Year Condition                             Recommendation(s)                               Status\nPrior Year FY 2012              FinCEN did not report 1 of the 12 incidents to   We recommend that FinCEN management             Implemented/Closed\nFinding #2 - Financial          TCSIRC within the required one-hour time         evaluate its current CSIRC capability for\nCrimes Enforcement              period for a CAT 1. Specifically, the incident   collecting and submitting incident responses    Updated policies, procedures,\nNetwork (FinCEN)                was reported 69 hours after identification.      and implement backup CSIRC personnel to         and training materials have\n                                There was only one person responsible for        ensure that incident response tickets are       been implemented. The\nSecurity incidents were not     FinCEN\xe2\x80\x99s CSIRC reporting, and the incident       handled in a timely fashion.                    updates help to document and\nreported in a timely manner.    occurred when this person was out of the                                                         train the help desk staff about\n                                office, which delayed reporting until he                                                         the improved way of reporting\n                                returned. At the time, there were no backup                                                      security incidents. In addition,\n                                CSIRC personnel.                                                                                 all security incident response\n                                                                                                                                 reports received for the current\n                                                                                                                                 year are compliant and have\n                                                                                                                                 been handled in a timely\n                                                                                                                                 manner.\nPrior Year FY 2012             The two selected information systems from         We recommend that OCC management:               Implemented/Closed\nFinding #3 \xe2\x80\x93 Office of         OCC did not include all required security\nComptroller of the Currency    controls in areas such as access control, audit   1   For both selected systems, update the SSP   Both selected system\xe2\x80\x99s SSPs\n(OCC)                          and accountability, contingency planning,             to address and reference all the NIST SP    have been updated and\n                               identification and authentication, maintenance,       800-53, Rev. 3, security controls and       reviewed by management to\nSystem security plans at OCC media protection, system and communications             control enhancements for a Moderate         ensure all the NIST SP 800-\nand FMS did not fully          protection, and system and information                baseline.                                   53, Rev. 3, security controls\ndocument all security controls integrity, as specified in NIST SP 800-53, Rev.   2   For both selected systems, ensure           and control enhancements for\nfrom NIST SP 800-53, Rev. 3. 3. We noted that the conditions cited above             management conducts an adequate review      a Moderate baseline have been\n                               occurred because OCC management did not               of the SSPs to ensure that it includes      referenced.\n                               perform an adequate review of the two                 applicable NIST SP 800-53, Rev. 3, and\n                               selected systems\xe2\x80\x99 SSPs and overlooked the             controls.\n                               lack of these controls and control\n                               enhancements when updating the SSPs.\nPrior Year FY 2012             The SSP for a selected FMS system did not         We recommend that FMS management update Implemented/Closed\nFinding #3 \xe2\x80\x93 Financial         reflect the current and primary source of         the selected system\xe2\x80\x99s SSP to reflect the current\nManagement Service (FMS) backups for the application. FMS management             and primary source of backups for the            FMS and BPD consolidated\n                               stated that the error was due to a management     application.                                     into one organization, Fiscal\nOne SSP [system security       oversight when updating the SSP.                                                                   Service, in October 2012.\nplans] for FMS was not                                                                                                            Fiscal Service has updated the\nupdated to address weaknesses                                                                                                     system security plan\nidentified in the security                                                                                                        documentation to reflect the\nassessments.                                                                                                                      current primary backup\n                                                                                                                                  process accurately.\n\n\n                                                                                                                                                         Page 26\n\x0cStatus of Prior-year Findings                                                                                                                    Appendix II\n\n          Finding #                        Prior-Year Condition                            Recommendation(s)                               Status\nPrior Year FY 2012            FinCEN\xe2\x80\x99s SSP for the selected system did not Based on the planned corrective actions for         Implemented/Closed\nFinding #3 \xe2\x80\x93 Financial        reflect the results of their latest Security    FinCEN, we are not making a\nCrimes Enforcement            Assessment and Authorization, which required recommendation.                                     The SSP has been updated on\nNetwork (FinCEN)              certain controls to be updated to reflect self-                                                  June 2013 and signed off by\n                              identified weaknesses. It was noted that this                                                    the System Owner. The SSP\nOne SSP [system security      was a self-reported finding and was listed as a                                                  reflects the results of their\nplans] for FinCEN was not     POA&M with the TAF system with an                                                                latest Security Assessment and\nupdated to address weaknesses estimated date of completion of January 14,                                                      Authorization.\nidentified in the security    2013.\nassessments.\nPrior Year FY 2012            A selected FMS system\xe2\x80\x99s audit capabilities      We recommend that FMS management:                Implemented/Closed\nFinding #4 \xe2\x80\x93 Financial        and functions did not adhere to the Fiscal\nManagement Service (FMS) Service Baseline Services Requirements               1 Enhance the selected system audit              FMS and BPD consolidated\n                              (BLSR) and NIST SP 800-53, Rev. 3,                  capabilities to capture security-related     into one organization, Fiscal\nAudit logs were not           guidance as required for HIGH categorized           events as prescribed by the BLSR and         Service, in October 2012.\nsufficiently reviewed by FMS systems. Specifically, it did not have any           NIST SP 800-53 guidance.                     Fiscal Service has updated the\nin accordance with NIST and automated capabilities or any supporting          2 Establish a clear oversight process to         system security plan to\nDepartment of the Treasury    processes to log and monitor security-relevant      review the security-related events and       document security related\nrequirements.                 events. When designing the system, FMS              ensure appropriate follow-up action is       events that need to be\n                              management did not adequately identify              taken as prescribed by the BLSR and          monitored and it is consistent\n                              requirements and provide capabilities to log        NIST SP 800-53.                              with the BLSR. In addition,\n                              and monitor security-related events. In         3 Update the selected system\xe2\x80\x99s system            management has enhanced its\n                              addition, management did not establish a            security plan to document security-related   system audit capabilities to\n                              robust monitoring process to support the            events that need to be monitored as          capture security events as\n                              review and follow-up of selected auditable          prescribed by the BLSR.                      prescribed by the BLSR and\n                              events, and management did not document                                                          NIST SP 800-53 and\n                              within their system security plan specific                                                       established a clear oversight\n                              security-related events that will be monitored                                                   process to review the security-\n                              on an ongoing basis.                                                                             related events and follow-up\n                                                                                                                               where appropriate.\n\n\n\n\n                                                                                                                                                       Page 27\n\x0cStatus of Prior-year Findings                                                                                                                          Appendix II\n\n         Finding #                          Prior-Year Condition                              Recommendation(s)                                 Status\nPrior Year FY 2012              A selected DO system lacked a process to          We recommend that DO management include           Implemented/Closed\nFinding #4 \xe2\x80\x93 Departmental       review audit records. DO management self-         the corrective action plans from the selected\nOffices (DO)                    identified this weakness during a continuous      system\xe2\x80\x99s continuous monitoring report into a      We noted that a POA&M item\n                                monitoring assessment in June 2012. While         POA&M item.                                       was added for the selected\nAudit logs were not             there was a documented corrective action plan                                                       system, which cross-\nsufficiently reviewed by FMS    in the continuous monitoring report, there was                                                      referenced the corrective\nand DO in accordance with       not an updated POA&M item during the                                                                action plans from the\nNIST and Department of the      FISMA year.                                                                                         continuous monitoring report.\nTreasury requirements.\nPrior Year FY 2012             We noted that a selected DO system had           We recommend that DO management:                    Partially Implemented/Open\nFinding #5-Departmental        multiple identified weaknesses identified in the\nOffices (DO)                   June 2012 continuous monitoring test report      1 Update the selected system POA&M with             DO updated the POA&M to\n                               that were not documented in the system              the findings and recommendations                 include all the findings and\nPlans of Action and            POA&M. DO bureau policy requires that               reported in the system continuous                remediation\xe2\x80\x99s documented in\nMilestones (POA&Ms) were       POA&Ms be inputted 30 days after                    monitoring test report.                          the selected system\xe2\x80\x99s\nnot tracked in accordance with weaknesses are initially identified. The lack of 2 Ensure the continuous monitoring test             Continuous Monitoring Test\nNIST and Department of the     these findings being added to the POA&M was         results and recommendations are captured         Report. There was no\nTreasury requirements at DO. an oversight by DO management when                    within the selected system POA&M                 continuous monitoring test\n                               updating the system POA&M.                          within the 30-day required period.               done this year due to moving\n                                                                                                                                    of facilities, so they were not\n                                                                                                                                    able to update the POA&M\n                                                                                                                                    with any new results.\nPrior Year FY 2012              For a selected FMS system, FMS was unable         We recommend that FMS management:                 Implemented/Closed\nFinding #6 \xe2\x80\x93 Financial          to provide us with supporting documentation\nManagement Service (FMS)        confirming that vulnerability scans were being    1   Formally document the vulnerability           Formal documentation with\n                                performed over the system\xe2\x80\x99s Internet Protocol         scanning and flaw remediation processes       the SOP was created to\nVulnerability scanning and      (IP) addresses. Therefore, we could not               for the Fiscal Services organization and      document the vulnerability\nremediation was not             determine if vulnerability scans had been             communicate the processes to affected         scanning and flaw remediation\nperformed in accordance with    performed, if any vulnerabilities were                field personnel.                              process. Management\nDepartment of the Treasury      identified, and if any corresponding corrective   2   Maintain a complete listing of hosts and IP   maintains a complete listings\nrequirements.                   actions or POA&M had been implemented                 addresses for the selected FMS system         of hosts and IP addresses and\n                                                                                      production environment and document any       retains supporting\n                                                                                      changes to this listing, and retain enough    documentation to confirm the\n                                                                                      supporting documentation to confirm the       accuracy of completed\n                                                                                      accuracy of completed vulnerability scans.    vulnerability scans.\n\n\n\n\n                                                                                                                                                             Page 28\n\x0cStatus of Prior-year Findings                                                                                                                             Appendix II\n\n         Finding #                          Prior-Year Condition                                  Recommendation(s)                                Status\nPrior Year FY 2012              For a selected Mint system, the November             We recommend that Mint management follow          Implemented/Closed\nFinding #6 \xe2\x80\x93 Mint               2011 vulnerability scan contained                    their vulnerability remediation policy for all\n                                vulnerabilities with a high risk rating that were    vulnerabilities, including older, noncritical     Mint updated their\nVulnerability scanning and      not remedied prior to the March 2012                 patches, to ensure that vulnerabilities are not   vulnerability remediation\nremediation was not             vulnerability scans. The Mint POA&M report           missed in the remediation process.                policy and patched open\nperformed in accordance with    from TAF, generated in June 2012, did not                                                              vulnerabilities in a timely\nDepartment of the Treasury      reflect the open vulnerabilities. These                                                                manner.\nrequirements.                   vulnerabilities were not properly remedied due\n                                to the Mint\xe2\x80\x99s management decision to\n                                remediate noncritical vulnerabilities using a\n                                risk-based approach. This risk-based approach\n                                did not address all noncritical vulnerabilities in\n                                a timely manner and deviated from the Mint\xe2\x80\x99s\n                                vulnerability remediation policy, which\n                                requires noncritical patches to be applies on a\n                                bimonthly basis.\nPrior Year FY 2012              For the selected DO system, DO management            We recommend that DO management include           Implemented/Closed\nFinding #6 \xe2\x80\x93 Departmental       identified multiple high-risk weaknesses in          the corrective action plans from the selected\nOffices (DO)                    vulnerability scans and missing scans for            system\xe2\x80\x99s continuous monitoring report into a      We noted that a POA&M item\n                                database components during DO\xe2\x80\x99s continuous           POA&M item.                                       was added for the selected\nVulnerability scanning and      monitoring assessment in 2012. While a                                                                 system, which cross-\nremediation was not             documented corrective action plan was                                                                  referenced the corrective\nperformed in accordance with    established in the continuous monitoring                                                               action plans from the\nDepartment of the Treasury      report, the weaknesses were not recorded in                                                            continuous monitoring report.\nrequirements.                   the POA&M during the FISMA year.\n\n\n\n\n                                                                                                                                                                Page 29\n\x0cStatus of Prior-year Findings                                                                                                                        Appendix II\n\n          Finding #                          Prior-Year Condition                              Recommendation(s)                               Status\nPrior Year FY 2012                For both selected BPD systems, BPD               Based upon the planned correction actions for   Implemented/Untested\nFinding #6 \xe2\x80\x93 Bureau of the        management identified that there were            BPD, we are not making a recommendation.\nPublic Debt (BPD)                 insufficient procedures over vulnerability                                                       FMS and BPD consolidated\n                                  remediation in place. This was a self-reported                                                   into one organization, Fiscal\nVulnerability scanning and        finding and documented within BPD\xe2\x80\x99s                                                              Service, in October 2012. We\nremediation was not               POA&M report on TAF. The POA&M item is                                                           noted that Fiscal Service\nperformed in accordance with      scheduled to be completed on June 30, 2013.                                                      corrected the vulnerability\nDepartment of the Treasury                                                                                                         remediation procedures but\nrequirements.                                                                                                                      did not complete all corrective\n                                                                                                                                   actions until June 2013 and\n                                                                                                                                   was unable to test the\n                                                                                                                                   effectiveness. The finding will\n                                                                                                                                   be tested as part of the FY\n                                                                                                                                   2014 FISMA evaluation.\nPrior Year FY 2012                For both selected OCC systems, OCC               Based upon the planned correction actions for   Implemented/Closed\nFinding #6 \xe2\x80\x93 Office of            management identified multiple high-risk         OCC, we are not making a recommendation.\nComptroller of the Currency       weaknesses in vulnerability scans that were                                                      Weaknesses discovered in\n(OCC)                             not remediated. This was a self-reported                                                         vulnerability scans were\n                                  finding and documented within OCC\xe2\x80\x99s                                                              remediated.\nVulnerability scanning and        POA&M report on TAF. The POA&M item is\nremediation was not               scheduled to be completed on August 15,\nperformed in accordance with      2012.\nDepartment of the Treasury\nrequirements.\nPrior Year FY 2012                Contingency plan documentation for a selected    We recommend that DO management include         Implemented/Closed\nFinding #7 \xe2\x80\x93 Departmental         DO system was not updated within the FISMA       the corrective action plans from the selected\nOffices (DO)                      year. Additionally, contingency plan testing     system\xe2\x80\x99s continuous monitoring report into a    We noted that a POA&M item\n                                  was not performed for the system within the      POA&M item.                                     was added for the selected\nContingency planning and          FISMA year. DO management self-identified                                                        system, which cross-\ntesting controls were not fully   these weaknesses during a continuous                                                             referenced the corrective\nimplemented or operating as       monitoring assessment in June 2012. While                                                        action plans from the\ndesigned.                         there was a documented corrective action plan                                                    continuous monitoring report.\n                                  in the continuous monitoring report, there was\n                                  not an updated POA&M item during the\n                                  FISMA year.\n\n\n\n\n                                                                                                                                                           Page 30\n\x0cStatus of Prior-year Findings                                                                                                                          Appendix II\n\n          Finding #                           Prior-Year Condition                               Recommendation(s)                               Status\nPrior Year FY 2012                For one selected FMS system, FMS                   Based on the planned corrective actions for      Implemented/Closed\nFinding #7 \xe2\x80\x93 Financial            management identified the contingency plan         FMS, we are not making a recommendation.\nManagement Service (FMS)          test was not performed within the FISMA                                                             We determined that\n                                  year. This was a self-reported finding and                                                          contingency plan tests were\nContingency planning and          documented within FMS\xe2\x80\x99s POA&M report on                                                             performed and completed as\ntesting controls were not fully   TAF, with an estimated completion date of                                                           of September 2012 for both\nimplemented or operating as       August 30, 2012.                                                                                    systems.\ndesigned.\n                                  For another selected FMS system, FMS\n                                  management identified one of three disaster\n                                  recovery exercise reconstitution test objectives\n                                  was not completed during contingency plan\n                                  testing. This was a self-reported finding and\n                                  documented within FMS\xe2\x80\x99s POA&M report on\n                                  TAF, with an estimated completion date of\n                                  August 30, 2012.\nPrior Year FY 2012                BPD management could not provide sufficient        We recommend that BPD management                 Implemented/Closed\nFinding #8 \xe2\x80\x93 Bureau of the        supporting documentation evidencing that the       enhance the logging capability of the system\xe2\x80\x99s\nPublic Debt (BPD)                 backup jobs were run successfully. As a result,    backup process so management can determine       The audit logging capability\n                                  we were unable to test the operating               whether the backups were successfully            of the system has been\nBackup controls were not in       effectiveness of the controls over backups. The    completed.                                       enhanced to confirm if a\nplace or were not operating as    weekly backup logs did not specify whether                                                          backup has been successfully\ndesigned.                         the selected backup jobs were successful or                                                         completed.\n                                  had failed. BPD stated that the system was not\n                                  configured to include the backup status on the\n                                  logs.\n\n\n\n\n                                                                                                                                                            Page 31\n\x0cStatus of Prior-year Findings                                                                                                                      Appendix II\n\n          Finding #                         Prior-Year Condition                              Recommendation(s)                              Status\nPrior Year FY 2012             Backups of CDFI Fund data for the selected         We recommend that CDFI Fund management          Implemented/Closed\nFinding #8 \xe2\x80\x93 Community         system were not being performed on a regular       ensure that the system backups are completed\nDevelopment Financial          basis. Upon inspection of all successful           successfully per the defined frequency in the   We noted daily incremental\nInstitutions (CDFI) Fund       backups between December 2011 and April            SSP, and retain evidence of successful          backups and a weekly full\n                               2012, it was noted that backups of data were       completion for one year.                        backup are being performed,\nBackup controls were not in    occurring, but the frequency ranged from two                                                       as required by the SSP.\nplace or were not operating as to seven times a month. This did not comply\ndesigned.                      with the SSP, which indicated that daily\n                               incremental backups and a weekly full\n                               backups occur. CDFI Fund stated that TTB\n                               took over the backup responsibilities in May\n                               2012, and, as a result of the upcoming\n                               transition, evidence for successful backups\n                               was not maintained.\nPrior Year FY 2012             A selected DO system lacked sufficient             We recommend that DO management include         Implemented/Closed\nFinding #9 \xe2\x80\x93 Departmental      mechanisms to track and detect unauthorized        the corrective action plans from the selected\nOffices (DO)                   changes. DO management self-identified these       system\xe2\x80\x99s continuous monitoring report into a    We noted that a POA&M item\n                               weaknesses during a continuous monitoring          POA&M item.                                     was added for the selected\nSystem configuration settings assessment in June 2012. While there was a                                                          system, which cross-\nwere not implemented           documented corrective action plan in the                                                           referenced the corrective\nproperly.                      continuous monitoring report, there was not an                                                     action plans from the\n                               updated POA&M item during the FISMA                                                                continuous monitoring report.\n                               year.\nPrior Year FY 2012             For both selected OCC systems, OCC                 Based upon the planned correction actions for   Implemented/Closed\nFinding #9 \xe2\x80\x93 Office of         management identified configuration settings       OCC, we are not making a recommendation.\nComptroller of the Currency were not set to the most restrictive settings                                                         Established the definitive\n(OCC)                          possible. Both systems had multiple                                                                OCC baseline configurations\n                               weaknesses identified in configuration settings                                                    and reviewed all\nSystem configuration settings that did not meet the require threshold for                                                         configurations to ensure\nwere not implemented           restrictive settings as stated by NIST. This was                                                   compliance to the baseline.\nproperly.                      a self-reported finding and documented within\n                               OCC\xe2\x80\x99s POA&M report on TAF. The POA&M\n                               item is scheduled to be completed on\n                               December 31, 2013.\n\n\n\n\n                                                                                                                                                        Page 32\n\x0cStatus of Prior-year Findings                                                                                                                         Appendix II\n\n         Finding #                          Prior-Year Condition                               Recommendation(s)                                Status\nPrior Year FY 2012              Both selected BPD systems did not have            We recommend that BPD management for              Implemented/Closed\nFinding #10 \xe2\x80\x93 Bureau of the     baseline configurations formally documented.      both selected systems, develop baseline\nPublic Debt (BPD)               BPD management was aware of the lack of           configurations (applications build guides) that   Baseline configurations were\n                                this documentation for both systems; however,     are consistent with the system\xe2\x80\x99s SSP and          developed that are consistent\nSystem baselines were not       management had planned to rely on system          Federal Enterprise Architecture.                  with both the SSP and Federal\ndocumented properly.            backups to restore system information in case                                                       Enterprise Architecture.\n                                of a disaster event.\nPrior Year FY 2012              A selected FMS system lacked sufficient           We recommend that FMS management:                 Partially Implemented/Open\nFinding#10 \xe2\x80\x93 Financial          system baseline documentation. Specifically,\nManagement Service (FMS)        the baseline documentation did not establish      1   Clarify the distinction between program       We noted that Management\n                                operational requirements. Moreover,                   change control and system configuration       developed an Enterprise\nSystem baselines were not       documentation of the following elements did           management within the FMS Entity-Wide         Configuration Management\ndocumented properly.            not exist: mandatory configuration settings for       IT Standards and the selected system          Plan to address\n                                the information system components to reflect          Configuration Management Plan by              Recommendations #1 and #3\n                                the most restrictive mode; list of authorized         documenting and considering correcting        in March 2013.\n                                and unauthorized programs; and mechanisms             gaps in the current process and work flow\n                                to verify configuration settings and respond to       to clearly outline work flow, tasks, and      However, Management has\n                                unauthorized changes. The selected system             management oversight.                         not updated the Configuration\n                                Configuration Management Plan did not             2   Update the selected system Configuration      Management Plan per\n                                provide a clear distinction between program           Management Plan to establish operational      Recommendation #2, and is\n                                change control and system configuration               requirements and document the following       still open with a new estimate\n                                management processes identified in the FMS            elements: mandatory security relevant         of completion in October\n                                Entity-Wide IT Standards. The lack of clarity         configuration settings, description of the    2013.\n                                and baseline features within the selected             controls to address unauthorized security\n                                system Configuration Management Plan was              relevant changes to the configuration of\n                                overlooked by FMS management when                     the system, and a list of\n                                establishing the plan.                                authorized/unauthorized changes.\n                                                                                  3   Document a secure baseline and\n                                                                                      mandatory configuration settings for the\n                                                                                      information system components in the\n                                                                                      selected system Configuration\n                                                                                      Management Plan to reflect the most\n                                                                                      restrictive mode in support of the security\n                                                                                      controls for the system.\n\n\n\n\n                                                                                                                                                           Page 33\n\x0cStatus of Prior-year Findings                                                                                                                   Appendix II\n\n         Finding #                        Prior-Year Condition                             Recommendation(s)                              Status\nPrior Year FY 2012             KPMG confirmed that, for a selected FinCEN      Based upon the planned correction actions for   Implemented/Closed\nFinding #10 \xe2\x80\x93 Financial        system, FinCEN management identified the        FinCEN, we are not making a\nCrimes Enforcement             baseline settings were outdated. This was a     recommendation.                                 System baselines have been\nNetwork (FinCEN)               self-reported finding and documented within                                                     identified and documented\n                               FinCEN\xe2\x80\x99s POA&M report on TAF. The                                                               properly.\nSystem baselines were not      POA&M item is scheduled to be completed on\ndocumented properly.           January 14, 2013.\nPrior Year FY 2012             NIST SP 800-53, Rev. 3, guidance requires       Based on FMS\xe2\x80\x99s planned corrective actions,      Implemented/Closed\nFinding#11 \xe2\x80\x93 Financial         systems to implement multifactor                we are not making a recommendation.\nManagement Service (FMS) authentication to local and network access to                                                         Management implemented\n                               privileged and nonprivileged accounts.                                                          multifactor authentication to\nMultifactor authentication was Multifactor authentication provides an                                                          local and network access for\nnot implemented.               additional level of security for accounts to                                                    privileged and non-privileged\n                               prevent unauthorized access within the IT                                                       accounts.\n                               infrastructure. KPMG confirmed that, for the\n                               selected FMS system, FMS management\n                               identified it did not implement multifactor\n                               authentication for any level of access to the\n                               system. This was a self-reported finding and\n                               documented within FMS\xe2\x80\x99s POA&M report on\n                               TAF. The POA&M item is scheduled to be\n                               completed on December 31, 2012.\n\n\n\n\n                                                                                                                                                      Page 34\n\x0cStatus of Prior-year Findings                                                                                                                         Appendix II\nPrior Year Findings - 2011 Performance Audit\n\n\n         Finding #                          Prior-Year Condition                              Recommendation(s)                                 Status\nPrior Year FY 2011              TIGTA did not fully document account              Based on TIGTA\xe2\x80\x99s planned corrective actions,      Open.\nFinding #1 \xe2\x80\x93 Treasury           management activities (e.g., review frequency,    we are not making a recommendation.\nInspector General for Tax       inactivity limits, use of shared accounts) in                                                       TIGTA has not finished\nAdministration (TIGTA)          their SSPs. TIGTA management was unaware                                                            completing its corrective\n                                of the lack of documentation until a 2010                                                           action.\nLogical account management      security assessment was conducted. In\nactivities were not fully       response to the security assessment, TIGTA\ndocumented or consistently      established four corrective actions in the\nperformed.                      system\xe2\x80\x99s POA&M with scheduled completion\n                                dates of October 2011, April 2012, July 2012,\n                                and December 2012. These security\n                                weaknesses continued to exist at the time of\n                                fiscal year (FY) 2011 FISMA audit.\nPrior Year FY 2011              For a sampled FMS payment management              We recommend that FMS management:                 Open.\nFinding #1\xe2\x80\x93 Financial           system, 12 user accounts out of 2,950\nManagement Service (FMS)        inappropriately remained active following 90      1   Continue to monitor the automated             In FY 2012, we were\n                                days of inactivity. Additionally, 920 user            solution to disable user accounts after 90    informed that\nLogical account management      accounts out of 2,950 did not have a last login       days of inactivity in order to confirm the    Recommendation #1 of the\nactivities were not fully       date recorded, suggesting these accounts may          automated solution is working in all cases.   FY 2011 finding has been\ndocumented or consistently      never have been used by the account owner.        2   Perform a manual monthly review of all        addressed.\nperformed.                      We noted a similar finding in a FY 2010               user accounts, and disable or delete (as\n                                financial statement audit for the sampled             appropriate) accounts that have not logged    However in FY 2013, we\n                                system, but FMS\xe2\x80\x99s corrective actions to               into the system within the prior 90 days      noted that 19 active user\n                                implement a fully automated solution to               until the manual, monthly review              accounts have not logged in\n                                disable inactive accounts were not fully              demonstrates that the automated solution      greater than 120 days since the\n                                effective. FMS attributed the noted conditions        is working for three consecutive months.      list was generated (July 15,\n                                to human error during the transition to an                                                          2013 or earlier). Also, of these\n                                automated solution. Prior to and after the                                                          active users, five accounts did\n                                transition to a fully automated solution, FMS                                                       not have a \xe2\x80\x9clast log on date\xe2\x80\x9d,\n                                did not monitor if the automated solution was                                                       when their account had been\n                                working as intended.                                                                                created more than 120 days\n                                                                                                                                    before the listing was\n                                                                                                                                    generated.\n\n\n\n\n                                                                                                                                                            Page 35\n\x0cStatus of Prior-year Findings                                                                                                                      Appendix II\n\n          Finding #                        Prior-Year Condition                              Recommendation(s)                               Status\nPrior Year FY 2011              FMS employees did not immediately report 10      We recommend that FMS management:               Reissued/Closed\nFinding #2 \xe2\x80\x93 FMS                of 10 confirmed security incidents to FMS\xe2\x80\x99s\n                                help desk as required by FMS policy.             1   Revise the current incident reporting       FMS and BPD consolidated\nSecurity incidents were not     Additionally, FMS\xe2\x80\x99s information security             process and associated written procedures   into one organization, Fiscal\nreported timely.                group did not report seven of these confirmed        to ensure timely reporting. This could      Service, in October 2012. As a\n                                security incidents to TCSIRC within the              include the FMS incident response           result of this consolidation, we\n                                required one-hour time period for Category 1         management notifying TCSIRC with            closed this prior year finding\n                                incidents (three security incidents were             suspected or confirmed security events      and created a new security\n                                reported in one day, two were reported in two        without the need for further FMS            incident finding specific to\n                                days, and the remaining three were reported in       Executive management approvals.             Fiscal Service.\n                                three days). Rather than report all suspected    2   Provide additional training to FMS\n                                and confirmed incidents, FMS failed to notify        security personnel regarding FMS\xe2\x80\x99s\n                                TCSIRC until sufficient evidence was gathered        revised incident response policies and\n                                and approved by FMS executives as required           procedures to ensure these policies and\n                                by FMS policies and procedures. Contributing         procedures are consistently implemented.\n                                to the untimely reporting was a lack of after-   3   Consider, if feasible, a Distributed\n                                hours coverage by the incident response              Incident Response Team or a Partially\n                                personnel. Additionally, we attributed the           Outsourced Team to achieve 24x7x365\n                                untimely reporting by FMS employees to a             coverage, per the NIST SP 800-61,\n                                lack of sufficient awareness and training.           Computer Security Incident Handling\n                                                                                     Guide. Such a strategy could involve\n                                                                                     sharing TCSIRC resources with other\n                                                                                     Department of the Treasury bureaus.\n                                                                                 4   Improve FMS employee awareness to\n                                                                                     report both confirmed and suspected\n                                                                                     security incidents to the FMS Service\n                                                                                     Desk. FMS could create awareness\n                                                                                     through periodic reminders via e-mail,\n                                                                                     posting security posters in common\n                                                                                     employee areas, and through increased\n                                                                                     emphasis in annual security and awareness\n                                                                                     training.\n\n\n\n\n                                                                                                                                                         Page 36\n\x0cStatus of Prior-year Findings                                                                                                                       Appendix II\n\n          Finding #                         Prior-Year Condition                              Recommendation(s)                               Status\nPrior Year FY 2011            NIST and Treasury guidance require that             We recommend that DO management instruct        Implemented/Closed\nFinding #3 \xe2\x80\x93 DO               Treasury SSPs remain up-to-date and current         the vendor to update the SSPs to include NIST\n                              with the NIST Risk Management Framework             SP 800-53, Rev. 3, security controls and        The selected systems have\nSSPs did not fully adopt NIST and required NIST SP 800-53 security                associated control enhancements.                updated the SSP to reference\nrecommended security          controls. We noted that one sampled                                                                 all of the NIST SP 800-53,\ncontrols from NIST Special    information system from DO utilized outdated                                                        Rev. 3, security controls and\nPublication (SP) 800-53, Rev. NIST guidance (Rev. 2). Specifically, the SSPs                                                      control enhancements for a\n3.                            did not include all required security controls as                                                   High baseline.\n                              specified in NIST SP 800-53, Rev. 3,\n                              Recommend Security Controls for Federal\n                              Information Systems and Organizations, dated\n                              August 2009.\n\n                              We noted that the conditions, cited above for\n                              DO had various factors including the bureau\n                              and vendor\xe2\x80\x99s misunderstanding of contract\n                              requirements to maintain compliance with all\n                              NIST standards.\nPrior Year FY 2011            During the audit period, FMS revised their          We recommend that FMS management ensure         Implemented/Closed\nFinding #3 \xe2\x80\x93 FMS              SSP template and associated checklist to            that System Owners and ISSOs review and\n                              incorporate NIST SP 800-53, Rev. 3, controls.       update SSPs by using the FMS-approved SSP       KPMG noted that the SSP had\nSSPs did not fully adopt NIST However, the sampled system\xe2\x80\x99s SSP utilized          template and baseline security requirements,    been updated on June 30,\nrecommended security          older Rev 2 controls and FMS\xe2\x80\x99s quality control      which incorporate NIST SP 800-53, Rev. 3,       2013 to align with NIST SP\ncontrols from NIST SP 800-    process did not reject this sampled SSP.            security controls.                              800-53, Rev. 3 guidance.\n53, Rev. 3.\n\n\n\n\n                                                                                                                                                         Page 37\n\x0cStatus of Prior-year Findings                                                                                                                        Appendix II\n\n          Finding #                           Prior-Year Condition                               Recommendation(s)                             Status\nPrior Year FY 2011                For a sampled application, FMS did not             We recommend that FMS management:              Implemented/Closed\nFinding #4 \xe2\x80\x93 FMS                  document their weekly review of failed login\n                                  events during the FISMA audit period. While        1   Identify and document significant audit    Management has implemented\nInsufficient audit log reviews.   FMS took actions to address a similar issue in         events that warrant review and further     procedures for reviewing and\n                                  a prior-year financial statement audit by              investigation.                             monitoring significant audit\n                                  developing audit log review procedures for         2   Update the SSP in order to reflect the     events and audit log reports,\n                                  failed login attempts, the limited scope of            results of the risk analysis and clearly   and has updated the SSP to\n                                  FMS\xe2\x80\x99s corrective actions did not include a risk        assign ownership and responsibility for    reflect this process.\n                                  analysis necessary to identify significant audit       implementing the agreed upon audit log\n                                  events worthy of review and subsequent                 review procedures.\n                                  investigations, as suggested by NIST SP 800-       3   Ensure that sufficient resources are\n                                  53 security control AU-2, Auditable Events.            available to implement audit log review\n                                  The audit log review and SSP did not address           procedures.\n                                  broader user account activities such as the\n                                  creation of new accounts with administrative\n                                  capabilities or changes in user account\n                                  permissions. In addition, the proposed audit\n                                  log review procedures did not include\n                                  monitoring changes to specific information\n                                  system components such as the database,\n                                  sensitive files, or production source code.\n                                  Finally, the implemented audit log procedures\n                                  did not address potentially suspicious or\n                                  unusual transactions that could be performed\n                                  in the sampled payment management system.\n\n\n\n\n                                                                                                                                                          Page 38\n\x0cStatus of Prior-year Findings                                                                                                                          Appendix II\n\n         Finding #                          Prior-Year Condition                               Recommendation(s)                                  Status\nPrior Year FY 2011              FMS did not record and update security            We recommend that FMS management:                   Implemented/Closed\nFinding #6 \xe2\x80\x93 FMS                vulnerabilities in a timely manner for three\n                                sampled systems. For the sampled systems, we      1   Perform a comprehensive study of FMS\xe2\x80\x99s          Management has developed a\nPOA&Ms were not tracked         noted that FMS did not review and revise              POA&M management practices to resolve           comprehensive POA&M\nand remediated in accordance    expected completion dates for corrective              ongoing auditor-identified POA&M                process and has strengthened\nwith NIST and Department of     actions, record known high-risk vulnerabilities       challenges. Based on the outcome of this        its existing policies and\nthe Treasury requirements.      that FMS could not close in 60 days, or               study, FMS should implement corrective          procedures to define roles and\n                                correctly report the completion status on             actions designed to ensure complete,            responsibilities.\n                                outstanding POA&M items. In both the FY               accurate and timely reporting of POA&M\n                                2009 and FY 2010 FISMA audits at FMS, we              items.\n                                noted similar POA&M weaknesses for                2   Strengthen FMS\xe2\x80\x99s existing policies and\n                                different information systems. FMS took               procedures regarding POA&Ms based on\n                                corrective actions to resolve the immediate           the outcome of FMS\xe2\x80\x99s study. The revised\n                                instances of noncompliance; however, FMS              FMS policies and procedures should\n                                did not resolve bureau wide challenges to             define roles, responsibilities, and expected\n                                accurately and sufficiently report all system         communication frequency among key\n                                security weaknesses in POA&Ms. A lack of              participants and decision makers.\n                                System Owner and ISSO accountability, as          3   Promote increased involvement by FMS\n                                indicated in their Appointment Letter, and            executives and Authorizing Officials in\n                                communication issues between ISSO and                 the POA&M management process. Such\n                                FMS\xe2\x80\x99s information security group contributed          actions could include establishing\n                                to the conditions described above.                    performance metrics and associated\n                                                                                      incentives and/or disincentives for FMS\n                                                                                      management personnel to accurately\n                                                                                      report and resolve noted security\n                                                                                      weaknesses in their portfolio of\n                                                                                      information systems.\n                                                                                  4   Promote personal accountability for\n                                                                                      executing information security\n                                                                                      responsibilities, such as those listed in the\n                                                                                      ISSO and System Owner Appointment\n                                                                                      Letters, by incorporating those\n                                                                                      responsibilities and expected outcomes in\n                                                                                      the employees\xe2\x80\x99 Annual Performance Plan.\n\n\n\n\n                                                                                                                                                             Page 39\n\x0cStatus of Prior-year Findings                                                                                                                           Appendix II\n\n          Finding #                        Prior-Year Condition                               Recommendation(s)                                   Status\nPrior Year FY 2011            FMS did not complete a failover, and               We recommend that FMS management                     Implemented/Closed\nFinding #8 \xe2\x80\x93 FMS              contingency plan test for two Critical             expedite the planned disaster recovery testing\n                              Infrastructure Protection (CIP) payment            at the alternate recovery site to confirm that (a)   FMS and BPD consolidated\nContingency planning and      management systems residing at FMS in              FMS can resume mission critical functions            into one organization, Fiscal\ntesting and backup controls   accordance with FMS security standards and         within the stated two-hour recovery window           Service, in October 2012.\nwere not fully implemented or NIST SP 800-53 Rev. 3 requirements. During         and (b) the applications can operate                 Fiscal Service management\noperating as designed.        the nine-month period from October 1, 2010         successfully and communicate with other              completed contingency plan\n                              through June 30, 2011, these two CIP systems       essential applications and third parties.            testing for both systems in\n                              processed 911 million payments totaling $1.93                                                           September 2012.\n                              trillion. These two systems process\n                              approximately all Social Security\n                              Administration payments, Medicare and\n                              Medicaid payments, IRS tax refunds, Veteran\n                              Affairs payments, and other United States\n                              government vendor payments. However, these\n                              two systems had only undergone a tabletop\n                              disaster recovery test during FY 2010 and FY\n                              2011 and had not completed a full disaster\n                              recovery test at the recovery site in the prior\n                              two years. Per FMS and NIST SP 800-34\n                              requirements, disaster recovery simulation\n                              exercises, such as tabletop exercises, are\n                              sufficient for \xe2\x80\x9cModerate\xe2\x80\x9d systems but not\n                              \xe2\x80\x9cHigh\xe2\x80\x9d impact systems. FMS categorized\n                              these CIP systems as having a \xe2\x80\x9cHigh\xe2\x80\x9d FIPS\n                              199 impact rating with a two-hour recovery\n                              time objective. This designation requires FMS\n                              to perform a failover, recovery and\n                              reconstitution (including communications with\n                              applications and third parties) of critical\n                              systems at an alternate site on an annual basis.\n                              FMS delayed failover contingency plan tests in\n                              FY 2011 and FY 2010 due to operational\n                              priorities to relocate and consolidate data\n                              centers.\n\n\n\n\n                                                                                                                                                              Page 40\n\x0cStatus of Prior-year Findings                                                                                                                   Appendix II\n\n         Finding #                        Prior-Year Condition                             Recommendation(s)                              Status\nPrior Year FY 2011            The selected TIGTA system lacked sufficient      Based on TIGTA\xe2\x80\x99s planned corrective actions,   Open.\nFinding #8 \xe2\x80\x93 TIGTA            documentation regarding the system\xe2\x80\x99s             we are not making a recommendation.\n                              contingency plan and contingency plan testing.                                                  TIGTA has not finished\nContingency planning and      Specifically, the documentation did not                                                         completing its corrective\ntesting and backup controls   include certain key software used. TIGTA                                                        action.\nwere not fully implemented or management identified these weaknesses\noperating as designed.        during a 2010 security assessment and\n                              established two POA&M items with scheduled\n                              completion dates of January 2012 and June\n                              2012.\nPrior Year FY 2011            TIGTA was aware of the requirement to            Based on TIGTA\xe2\x80\x99s planned corrective actions,   Open.\nFinding #10 \xe2\x80\x93 TIGTA           comply with NIST SP 800-37, Rev 1, Guide         we are not making a recommendation.\n                              for Applying the Risk Management Framework                                                      TIGTA has not finished\nRisk management program       to Federal Information Systems, by February                                                     completing its corrective\nwas not consistent with NIST 2011, but had not updated the risk                                                               action.\nSP 800-37, Rev. 1.            management program at the time of the FY\n                              2011 FISMA audit. As NIST SP 800-37 Rev 1\n                              was issued in February 2010, OMB requires\n                              federal agencies to adopt this NIST guidance\n                              within one year of issuance. We did not\n                              determine a cause as the weakness was self-\n                              reported. TIGTA created a POA&M item to\n                              address identified gaps and developed\n                              corrective actions to become compliant, with a\n                              completion date of August 2014. An\n                              insufficient risk management program can lead\n                              to ineffective risk-based decision-making and\n                              untimely implementation of system-level\n                              controls.\nPrior Year FY 2011            The sampled TIGTA system lacked formal           Based on TIGTA\xe2\x80\x99s planned corrective actions,   Open.\nFinding #12 \xe2\x80\x93 TIGTA           documentation in certain areas of                we are not making a recommendation.\n                              configuration management. TIGTA                                                                 TIGTA has not finished\nImproper system               management identified this weakness in a                                                        completing its corrective\nconfiguration programs.       2010 security assessment and created POA&M                                                      action.\n                              remediation actions to address the weaknesses\n                              identified with a completion date of May 2012.\n\n\n\n\n                                                                                                                                                     Page 41\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                 Appendix III\n\nAPPENDIX III \xe2\x80\x93 THE DEPARTMENT OF THE TREASURY\xe2\x80\x99S CONSOLIDATED RESPONSE TO DHS\xe2\x80\x99s FISMA 2013\nQUESTIONS FOR INSPECTORS GENERAL\n\nThe information included in Appendix III represents the Department of the Treasury\xe2\x80\x99s (Treasury) consolidated responses to Department of\nHomeland Security\xe2\x80\x99s (DHS) FISMA 2013 questions for Inspectors General. KPMG prepared responses to DHS questions based on an assessment\nof 15 information systems across 12 Treasury components, excluding the IRS. KPMG determined the overall status of each DHS question based\non the magnitude of the aggregated findings under each category with OIG acceptance. TIGTA performed audit procedures over the IRS\ninformation systems and provided their answers to the Treasury OIG and KPMG for consolidation. These answers are included within the table\nbelow. The information provided by TIGTA has not been subjected to KPMG audit procedures and, accordingly, we express no opinion on it.\n\n1: Continuous Monitoring\n\nStatus of Continuous Monitoring         1.1. Has the Organization established an enterprise-wide continuous monitoring program that assesses the security\nProgram [check one: Yes or No]          state of information systems that is consistent with FISMA requirements, OMB policy, and applicable NIST\n                                  Yes   guidelines? If yes, besides the improvement opportunities that may have been identified by the OIG, does the\n                                        program include the following attributes:\n                                  Yes        1.1.1. Documented policies and procedures for continuous monitoring (NIST 800-53: CA-7).\n                                  Yes        1.1.2. Documented strategy and plans for continuous monitoring (NIST 800-37 Rev 1, Appendix G).\n                                             1.1.3. Ongoing assessments of security controls (system-specific, hybrid, and common) that have been\n                                  Yes\n                                             performed based on the approved continuous monitoring plans (NIST 800-53, NIST 800-53A).\n                                             1.1.4. Provides authorizing officials and other key system officials with security status reports covering\n                                             updates to security plans and security assessment reports, as well as a common and consistent POA&M\n                                  Yes\n                                             program that is updated with the frequency defined in the strategy and/or plans (NIST 800-53, NIST 800-\n                                             53A).\n                                        1.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Continuous Monitoring\n                                        Management Program that was not noted in the questions above.\n\n                                        Comments \xe2\x80\x93 TIGTA: The IRS\xe2\x80\x99s annual assessments of system security controls are predominantly manual. The\n                                        IRS\xe2\x80\x99s strategy for automating continuous monitoring includes the implementation of a tool called Archer, which\n                                        will be a central repository and analysis engine for assessment results, such as automated vulnerability scans.\n                                        Archer is in its initial development phases\n\n2: Configuration Management\n\nStatus of Configuration                 2.1 Has the Organization established a security configuration management program that is consistent with FISMA\nManagement Program [check one:    No        requirements, OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities\nYes or No]                                  that may have been identified by the OIG, does the program include the following attributes:\n                                  Yes       2.1.1. Documented policies and procedures for configuration management.\n\n\n\n                                                                                                                                                   Page 42\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                 Appendix III\n\nStatus of Configuration                2.1 Has the Organization established a security configuration management program that is consistent with FISMA\nManagement Program [check one:   No        requirements, OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities\nYes or No]                                 that may have been identified by the OIG, does the program include the following attributes:\n                                           2.1.2. Defined standard baseline configurations.\n\n                                 No        Comments \xe2\x80\x93 Treasury OIG: Fiscal Service did not document all required aspects of baseline configuration\n                                           for a selected system. TIGTA did not identify standard baseline configurations. (See Prior Year FY 2012\n                                           Finding #10 and Prior Year FY 2011 Finding #12)\n                                           2.1.3. Assessments of compliance with baseline configurations.\n\n                                           Comments \xe2\x80\x93 TIGTA: The IRS has not deployed automated mechanisms to centrally manage, apply, and\n                                           verify baseline configuration settings and produce FISMA compliance reports using the NIST-defined\n                                 No\n                                           Security Content Automation Protocol (SCAP) format. During FY 2013, the IRS was in the process of\n                                           implementing the Security Compliance Posture Monitoring and Reporting application, which is intended to\n                                           provide the ability to assess compliance with baseline security controls in a SCAP-compliant format on an\n                                           enterprisewide level; however, its implementation has been delayed\n                                           2.1.4. Process for timely (as specified in organization policy or standards) remediation of scan result\n                                           deviations.\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: The IRS has not yet fully implemented vulnerability scanning tools and processes on\n                                           all systems to ensure timely remediation of scan result deviations. Also, the IRS processes to share\n                                           vulnerability information to system owners and administrators are still under development.\n                                           2.1.5. For Windows-based components, USGCB secure configuration settings are fully implemented, and any\n                                 Yes\n                                           deviations from USGCB baseline settings fully documented.\n                                           2.1.6. Documented proposed or actual changes to the hardware and software configurations.\n\n                                           Comments \xe2\x80\x93 TIGTA: The IRS has not yet fully implemented configuration and change management controls\n                                 No        to ensure that proposed or actual changes to hardware and software configurations are documented and\n                                           controlled. During FY 2013, the Enterprise Services organization was in the process of implementing the\n                                           Enterprise Configuration Management System to provide an enterprise solution for configuration and change\n                                           management.\n                                           2.1.7. Process for the timely and secure installation of software patches.\n\n                                           Comments \xe2\x80\x93 TIGTA: The IRS has not yet fully implemented a process to ensure timely and secure\n                                           installation of software patches. During FY 2013, the IRS was in the process of evaluating tools that have the\n                                 No\n                                           capability to perform automated patch management activities across a multitude of technologies and feed\n                                           results to a centralized location. During the FY 2013 FISMA evaluation period, TIGTA and the Government\n                                           Accountability Office (GAO) identified critical patches that were missing or installed in an untimely manner\n                                           on IRS computers.\n\n\n\n                                                                                                                                                   Page 43\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                 Appendix III\n\nStatus of Configuration                2.1 Has the Organization established a security configuration management program that is consistent with FISMA\nManagement Program [check one:   No        requirements, OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities\nYes or No]                                 that may have been identified by the OIG, does the program include the following attributes:\n                                           2.1.8. Software assessing (scanning) capabilities are fully implemented (NIST 800-53: RA-5, SI-2).\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: Monthly vulnerability scans are not being performed on all systems.\n                                           2.1.9. Configuration-related vulnerabilities, including scan findings, have been remediated in a timely manner,\n                                           as specified in organization policy or standards (NIST 800-53: CM-4, CM-6, RA-5, SI-2).\n\n                                           Comments \xe2\x80\x93 TIGTA: The IRS has not yet fully implemented vulnerability scanning tools and processes on\n                                 No\n                                           all systems to ensure timely remediation of scan result deviations. Also, IRS processes to share vulnerability\n                                           information with system owners and administrators are still under development. During the FY 2013 FISMA\n                                           evaluation period, TIGTA and the GAO identified servers that were not consistently configured to have strong\n                                           controls.\n                                           2.1.10. Patch management process is fully developed, as specified in organization policy or standards (NIST\n                                           800-53: CM-3, SI-2).\n\n                                            Comments \xe2\x80\x93 TIGTA: The IRS has not yet implemented a process to ensure timely and secure installation of\n                                 No\n                                            software patches. During FY 2013, the IRS was in the process of evaluating tools that have the capability to\n                                            perform automated patch management activities across a multitude of technologies and feed results to a\n                                            centralized location. During FY 2013, TIGTA and the GAO identified critical patches that were missing or\n                                            installed in an untimely manner on IRS computers.\n                                       2.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Configuration\n                                       Management Program that was not noted in the questions above.\n\n3: Identity and Access Management\n\nStatus of Identity and Access          3.1 Has the organization established an identity and access management program that is consistent with FISMA\nManagement Program [check one:             requirements, OMB policy, and applicable NIST guidelines and identifies users and network devices? If yes,\n                                 No\nYes or No]                                 besides the improvement opportunities that have been identified by the OIG, does the program include the\n                                           following attributes:\n                                           3.1.1. Documented policies and procedures for account and identity management (NIST 800-53: AC-1)\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: TIGTA did not formally document account management activities for a selected\n                                           system (See Prior Year FY 2011 Finding #1)\n\n\n\n\n                                                                                                                                                   Page 44\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                   Appendix III\n\nStatus of Identity and Access          3.1 Has the organization established an identity and access management program that is consistent with FISMA\nManagement Program [check one:             requirements, OMB policy, and applicable NIST guidelines and identifies users and network devices? If yes,\n                                 No\nYes or No]                                 besides the improvement opportunities that have been identified by the OIG, does the program include the\n                                           following attributes:\n                                           3.1.2. Identifies all users, including Federal employees, contractors, and others who access organization\n                                           systems.\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: The IRS has not fully implemented unique user identification that complies with\n                                           Homeland Security Presidential Directive-12 (HSPD-12). In addition, five of our 10 sampled systems did not\n                                           have the NIST SP 800-53 AC-2 security control in place.\n                                           3.1.3. Identifies when special access requirements (e.g., multi-factor authentication) are necessary.\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: The IRS did not fully implement multifactor authentication in compliance with HSPD-\n                                           12.\n                                           3.1.4. If multi-factor authentication is in use, it is linked to the organization's PIV program where appropriate\n                                           (NIST SP 800-53, IA-2).\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: The IRS has not fully deployed multifactor authentication via the use of an HSPD-12\n                                           PIV card for all users for network and local access to nonprivileged or privileged accounts as required by\n                                           HSPD-12.\n                                           3.1.5. Organization has planned for implementation of PIV for logical access in accordance with government\n                                           policies (HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).\n                                 No\n                                           Comments \xe2\x80\x93 TIGTA: Although the IRS is working to achieve its goal of\n                                           85 percent mandatory PIV use by the end of Calendar Year 2013, considerable challenges still exist for\n                                           achieving full compliance due to its legacy environment.\n                                           3.1.6. Organization has adequately planned for implementation of PIV for physical access in accordance with\n                                 Yes\n                                           government policies (HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).\n                                           3.1.7. Ensures that the users are granted access based on needs and separation-of-duties principles.\n\n                                           Comments \xe2\x80\x93 Treasury OIG: DO, Mint and TIGTA were unable to provide evidence that users access was\n                                 No        granted access based on needs. (See Finding #1)\n\n                                           Comments \xe2\x80\x93 TIGTA: During FY 2013, TIGTA and the GAO identified users that had been granted more\n                                           access than needed and instances where the separation-of-duties principle was not enforced.\n\n\n\n\n                                                                                                                                                     Page 45\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                 Appendix III\n\nStatus of Identity and Access           3.1 Has the organization established an identity and access management program that is consistent with FISMA\nManagement Program [check one:              requirements, OMB policy, and applicable NIST guidelines and identifies users and network devices? If yes,\n                                  No\nYes or No]                                  besides the improvement opportunities that have been identified by the OIG, does the program include the\n                                            following attributes:\n                                            3.1.8. Identifies devices with IP addresses that are attached to the network and distinguishes these devices\n                                            from users (For example: IP phones, faxes, and printers are examples of devices attached to the network that\n                                            are distinguishable from desktops, laptops, or servers that have user accounts).\n                                  No\n                                            Comments \xe2\x80\x93 TIGTA: During FY 2013, the IRS was still in the process of implementing tools to achieve\n                                            automated asset discovery and asset management.\n                                            3.1.9. Identifies all user and non-user accounts. (Refers to user accounts that are on a system. Data user\n                                  Yes       accounts are created to pull generic information from a database or a guest/anonymous account for generic\n                                            login purposes. They are not associated with a single user or a specific group of users).\n                                            3.1.10. Ensures that accounts are terminated or deactivated once access is no longer required.\n\n                                            Comments \xe2\x80\x93 Treasury OIG: Fiscal Service did not deactivate accounts after 90 days of inactivity (See Prior\n                                  No        Year FY 2011 Finding #1)\n\n                                             Comments \xe2\x80\x93 TIGTA: During FY 2013, TIGTA and the GAO identified systems that do not have controls in\n                                             place to ensure that accounts are terminated or deactivated once access is no longer needed.\n                                  Yes        3.1.11. Identifies and controls use of shared accounts.\n                                        3.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Identity and Access\n                                        Management Program that was not noted in the questions above.\n\n                                        Comments \xe2\x80\x93 Treasury OIG: DO was unable to provide documentation evidencing administrators account\n                                        creation dates. TIGTA was unable to provide documentation evidencing users and their last login dates and times.\n                                        Fiscal Service was unable to provide documentation evidencing the users\xe2\x80\x99 last log-on dare or time. (See Finding #1\n                                        and Prior Year FY 2012 Finding #1)\n\n4: Incident Response and Reporting\n\nStatus of Incident Response and         4.1 Has the Organization established an incident response and reporting program that is consistent with FISMA\nReporting Program [check one:     Yes       requirements, OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities\nYes or No]                                  that may have been identified by the OIG, does the program include the following attributes:\n                                            4.1.1. Documented policies and procedures for detecting, responding to, and reporting incidents (NIST 800-\n                                  Yes\n                                            53: IR-1).\n                                            4.1.2. Comprehensive analysis, validation, and documentation of incidents.\n                                  No\n                                            Comments \xe2\x80\x93 Treasury OIG: OIG incorrectly documented reported incidents in error. (See Finding #2)\n\n\n\n                                                                                                                                                   Page 46\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                    Appendix III\n\nStatus of Incident Response and         4.1 Has the Organization established an incident response and reporting program that is consistent with FISMA\nReporting Program [check one:     Yes       requirements, OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities\nYes or No]                                  that may have been identified by the OIG, does the program include the following attributes:\n                                            4.1.3. When applicable, reports to US-CERT within established timeframes (NIST 800-53, 800-61; and OMB\n                                            M-07-16, M-06-19).\n\n                                            Comments \xe2\x80\x93 Treasury OIG: Fiscal Service did not report incidents within required time frames. (See\n                                  No\n                                            Finding #2)\n\n                                             Comments \xe2\x80\x93 TIGTA: The IRS did not always report incidents involving Personally Identifiable Information\n                                             to the US-CERT within established time frames due to resource constraints.\n                                  Yes        4.1.4. When applicable, reports to law enforcement within established time frames (SP 800-61).\n                                             4.1.5. Responds to and resolves incidents in a timely manner, as specified in organization policy or standards,\n                                  Yes\n                                             to minimize further damage (NIST 800-53, 800-61; and OMB M-07-16, M-06-19).\n                                  Yes        4.1.6. Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.\n                                  Yes        4.1.7. Is capable of correlating incidents.\n                                             4.1.8. Has sufficient incident monitoring and detection coverage in accordance with government policies\n                                  Yes\n                                             (NIST 800-53, 800-61; and OMB M-07-16, M-06-19).\n                                        4.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Incident Management\n                                        Program that was not noted in the questions above.\n\n\n\n\n5: Risk Management\n\nStatus of Risk Management               5.1 Has the Organization established a risk management program that is consistent with FISMA requirements,\nProgram [check one: Yes or No]    Yes       OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities that may have\n                                            been identified by the OIG, does the program include the following attributes:\n                                            5.1.1. Documented policies and procedures for risk management, including descriptions of the roles and\n                                  Yes\n                                            responsibilities of participants in this process.\n                                            5.1.2. Addresses risk from an organization perspective with the development of a comprehensive governance\n                                            structure and organization-wide risk management strategy as described in NIST 800-37, Revision 1.\n                                  No\n                                            Comments \xe2\x80\x93 Treasury OIG: TIGTA did not update risk management program with NIST 800-37, Rev.1\n                                            guidance (See Prior Year FY 2011 Finding #10)\n\n\n\n\n                                                                                                                                                      Page 47\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                     Appendix III\n\nStatus of Risk Management              5.1 Has the Organization established a risk management program that is consistent with FISMA requirements,\nProgram [check one: Yes or No]   Yes       OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities that may have\n                                           been identified by the OIG, does the program include the following attributes:\n                                           5.1.3. Addresses risk from a mission and business process perspective and is guided by the risk decisions from\n                                           an organizational perspective, as described in NIST 800-37, Rev. 1.\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: TIGTA did not update risk management program with NIST 800-37, Rev.1\n                                           guidance (See Prior Year FY 2011 Finding #10)\n                                           5.1.4. Addresses risk from an information system perspective and is guided by the risk decisions from an\n                                 Yes\n                                           organizational perspective and the mission and business perspective, as described in NIST 800-37, Rev. 1.\n                                 Yes       5.1.5. Has an up-to-date system inventory.\n                                 Yes       5.1.6. Categorizes information systems in accordance with government policies.\n                                 Yes       5.1.7. Selects an appropriately tailored set of baseline security controls.\n                                           5.1.8. Implements the tailored set of baseline security controls and describes how the controls are employed\n                                           within the information system and its environment of operation.\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: FinCEN did not adequately document the implementation of controls as\n                                           required by NIST and Treasury guidance (See Finding #3)\n                                           5.1.9. Assesses the security controls using appropriate assessment procedures to determine the extent to which\n                                 Yes       the controls are implemented correctly, operating as intended, and producing the desired outcome with respect\n                                           to meeting the security requirements for the system.\n                                           5.1.10. Authorizes information system operation based on a determination of the risk to organizational\n                                 Yes       operations and assets, individuals, other organizations, and the Nation resulting from the operation of the\n                                           information system and the decision that this risk is acceptable.\n                                           5.1.11. Ensures information security controls are monitored on an ongoing basis including assessing control\n                                           effectiveness, documenting changes to the system or its environment of operation, conducting security impact\n                                           analyses of the associated changes, and reporting the security state of the system to designated organizational\n                                 No\n                                           officials.\n\n                                           Comments \xe2\x80\x93 Treasury OIG: Fiscal Service did not review the SSP annually. (See Finding #3)\n                                           5.1.12. Information-system-specific risks (tactical), mission/business-specific risks and organizational-level\n                                 Yes\n                                           (strategic) risks are communicated to appropriate levels of the organization.\n                                 Yes       5.1.13. Senior Officials are briefed on threat activity on a regular basis by appropriate personnel. (e.g., CISO).\n                                           5.1.14. Prescribes the active involvement of information system owners and common control providers, chief\n                                 Yes       information officers, senior information security officers, authorizing officials, and other roles as applicable in\n                                           the ongoing management of information-system-related security risks.\n                                           5.1.15. Security authorization package contains system security plan, security assessment report, and POA&M\n                                 Yes\n                                           in accordance with government policies (NIST SP 800-18, SP 800-37).\n\n\n\n\n                                                                                                                                                       Page 48\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                    Appendix III\n\nStatus of Risk Management              5.1 Has the Organization established a risk management program that is consistent with FISMA requirements,\nProgram [check one: Yes or No]   Yes        OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities that may have\n                                            been identified by the OIG, does the program include the following attributes:\n                                            5.1.16. Security authorization package contains accreditation boundaries, defined in accordance with\n                                 Yes\n                                            government policies, for organization information systems.\n                                       5.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Risk Management\n                                       Program that was not noted in the questions above.\n\n6: Security Training\n\nStatus of Security Training            6.1 Has the organization established a security training program that is consistent with FISMA requirements,\nProgram [check one: Yes or No]   Yes       OMB policy, and applicable NIST guidelines? If yes, besides the improvement opportunities that may have\n                                           been identified by the OIG, does the program include the following attributes:\n                                 Yes       6.1.1. Documented policies and procedures for security awareness training (NIST SP 800-53: AT-1).\n                                           6.1.2. Documented policies and procedures for specialized training for users with significant information\n                                 Yes\n                                           security responsibilities.\n                                           6.1.3. Security training content based on the organization and roles, as specified in organization policy or\n                                 Yes\n                                           standards.\n                                           6.1.4. Identification and tracking of the status of security awareness training for all personnel (including\n                                           employees, contractors, and other organization users) with access privileges that require security awareness\n                                           training.\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: OIG was unable to provide evidence of successful completion of security\n                                           awareness training. (See Finding #5)\n                                           6.1.5. Identification and tracking of the status of specialized training for all personnel (including employees,\n                                           contractors, and other organization users) with significant information security responsibilities that require\n                                           specialized training.\n                                 No\n                                            Comments \xe2\x80\x93 TIGTA: The IRS did not track completions of specialized information technology security\n                                            training by contractors during the FY 2013 FISMA evaluation period.\n                                            6.1.6. Training material for security awareness training contains appropriate content for the organization\n                                 Yes\n                                            (NIST SP 800-50, 800-53).\n                                       6.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Security Training Program\n                                       that was not noted in the questions above.\n\n\n\n\n                                                                                                                                                      Page 49\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                   Appendix III\n\n7: POA&M\n\nStatus of POA&M Program [check         7.1 Has the Organization established a POA&M program that is consistent with FISMA requirements, OMB\none: Yes or No]                             policy, and applicable NIST guidelines and tracks and monitors known information security weaknesses? If\n                                 Yes\n                                            yes, besides the improvement opportunities that may have been identified by the OIG, does the program\n                                            include the following attributes:\n                                            7.1.1. Documented policies and procedures for managing IT security weaknesses discovered during security\n                                 Yes\n                                            control assessments and that require remediation.\n                                 Yes        7.1.2. Tracks, prioritizes, and remediates weaknesses.\n                                 Yes        7.1.3. Ensures remediation plans are effective for correcting weaknesses.\n                                 Yes        7.1.4. Establishes and adheres to milestone remediation dates.\n                                 Yes        7.1.5. Ensures resources and ownership are provided for correcting weaknesses.\n                                            7.1.6. POA&Ms include security weaknesses discovered during assessments of security controls and that\n                                 Yes        require remediation (do not need to include security weakness due to a risk-based decision to not implement a\n                                            security control) (OMB M-04-25).\n                                            7.1.7. Costs associated with remediating weaknesses are identified (NIST SP 800-53, Rev. 3, Control PM-3;\n                                 Yes\n                                            OMB M-04-25).\n                                            7.1.8. Programs officials report progress on remediation to CIO on a regular basis, at least quarterly, and the\n                                 Yes        CIO centrally tracks, maintains, and independently reviews/validates the POA&M activities at least quarterly\n                                            (NIST SP 800-53, Rev. 3, Control CA-5 and OMB M-04-25).\n                                       7.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s POA&M Program that\n                                       was not noted in the questions above.\n\n8: Remote Access Management\n\nStatus of Remote Access                8.1 Has the organization established a remote access program that is consistent with FISMA requirements, OMB\nManagement Program [check one:   Yes       policy, and applicable NIST guidelines? If yes, besides the improvement opportunities that may have been\nYes or No]                                 identified by the OIG, does the program include the following attributes:\n                                           8.1.1. Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote\n                                 Yes\n                                           access (NIST 800-53: AC-1, AC-17).\n                                 Yes       8.1.2. Protects against unauthorized connections or subversion of authorized connections.\n                                           8.1.3. Users are uniquely identified and authenticated for all access (NIST 800-46, Section 4.2, Section 5.1).\n\n                                 No        Comments \xe2\x80\x93 TIGTA: System administrators of the virtual private network infrastructure and server\n                                           components do not use NIST-compliant multifactor authentication for local or network access to privileged\n                                           accounts. In addition, virtual private network server components do not comply with password requirements.\n                                 Yes       8.1.4. Telecommuting policy is fully developed (NIST 800-46, Section 5.1).\n                                 Yes       8.1.5. If applicable, multifactor authentication is required for remote access (NIST 800-46, Section 2.2, 3.3).\n\n\n\n                                                                                                                                                    Page 50\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                               Appendix III\n\nStatus of Remote Access                8.1 Has the organization established a remote access program that is consistent with FISMA requirements, OMB\nManagement Program [check one:   Yes        policy, and applicable NIST guidelines? If yes, besides the improvement opportunities that may have been\nYes or No]                                  identified by the OIG, does the program include the following attributes:\n                                            8.1.6. Authentication mechanisms meet NIST SP 800-63 guidance on remote electronic authentication,\n                                 Yes\n                                            including strength mechanisms.\n                                 Yes        8.1.7. Defines and implements encryption requirements for information transmitted across public networks.\n                                            8.1.8. Remote access sessions, in accordance with OMB M-07-16, are timed-out after 30 minutes of inactivity\n                                 Yes\n                                            after which re-authentication is required.\n                                            8.1.9. Lost or stolen devices are disabled and appropriately reported (NIST 800-46, Section 4.3, US-CERT\n                                 Yes\n                                            Incident Reporting Guidelines).\n                                            8.1.10. Remote access rules of behavior are adequate in accordance with government policies (NIST 800-53:\n                                 Yes\n                                            PL-4).\n                                            8.1.11. Remote-access user agreements are adequate in accordance with government policies (NIST SP 800-\n                                 Yes\n                                            46, Section 5.1; NIST SP 800-53, PS-6).\n                                       8.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Remote Access\n                                       Management that was not noted in the questions above.\n                                 Yes   8.3. Does the organization have a policy to detect and remove unauthorized (rogue) connections?\n\n9: Contingency Planning\n\nStatus of Contingency Planning         9.1 Has the organization established an enterprise-wide business continuity/disaster recovery program that is\nProgram [check one: Yes or No]             consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? If yes, besides the\n                                 Yes\n                                           improvement opportunities that may have been identified by the OIG, does the program include the following\n                                           attributes:\n                                           9.1.1. Documented business continuity and disaster recovery policy providing the authority and guidance\n                                 Yes\n                                           necessary to reduce the impact of a disruptive event or disaster (NIST 800-53: CP-1).\n                                           9.1.2. The organization has incorporated the results of its system\xe2\x80\x99s Business Impact Analysis (BIA) into the\n                                 Yes       analysis and strategy development efforts for the organization\xe2\x80\x99s Continuity of Operations Plan (COOP),\n                                           Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP) (NIST SP 800-34).\n                                           9.1.3. Development and documentation of division, component, and IT infrastructure recovery strategies,\n                                           plans, and procedures (NIST SP 800-34).\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: TIGTA did not fully implement contingency planning and testing controls for\n                                           one system and one prior year system did not have a new operating system integrated into its contingency\n                                           plan. (See Finding #4 and Prior Year FY 2011 Finding #8)\n                                           9.1.4. Testing of system-specific contingency plans.\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: TIGTA did not perform contingency plan testing for the selected system. (See\n                                           Finding #4)\n\n\n                                                                                                                                                 Page 51\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                    Appendix III\n\nStatus of Contingency Planning         9.1 Has the organization established an enterprise-wide business continuity/disaster recovery program that is\nProgram [check one: Yes or No]             consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? If yes, besides the\n                                 Yes\n                                           improvement opportunities that may have been identified by the OIG, does the program include the following\n                                           attributes:\n                                           9.1.5. The documented BCP and DRP are in place and can be implemented when necessary (FCD1, NIST SP\n                                 Yes\n                                           800-34).\n                                           9.1.6. Development of test, training, and exercise (TT&E) programs (FCD1, NIST SP 800-34, NIST SP 800-\n                                           53).\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: TIGTA did not fully implement contingency planning and testing controls. (See\n                                           Finding #4 and Prior Year FY 2011 Finding #8)\n                                           9.1.7. Testing or exercising of BCP and DRP to determine effectiveness and to maintain current plans.\n                                 No\n                                           Comments \xe2\x80\x93 Treasury OIG: TIGTA did not perform contingency plan testing for the selected system. (See\n                                           Finding #4)\n                                           9.1.8. After-action report that addresses issues identified during contingency/disaster recovery exercises\n                                           (FCD1, NIST SP 800-34).\n                                 No\n                                            Comments \xe2\x80\x93 Treasury OIG: TIGTA did not perform contingency plan testing for the selected system. (See\n                                            Finding #4)\n                                 Yes        9.1.9. Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                            9.1.10. Alternate processing sites are not subject to the same risks as primary sites (FCD1, NIST SP 800-34,\n                                 Yes\n                                            NIST SP 800-53).\n                                            9.1.11. Backups of information that are performed in a timely manner (FCD1, NIST SP 800-34, NIST SP 800-\n                                 Yes\n                                            53).\n                                 Yes        9.1.12. Contingency planning that considers supply chain threats.\n                                       9.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Contingency Planning\n                                       Program that was not noted in the questions above.\n\n10: Contractor Systems\n\nStatus of Contractor Systems           10.1 Has the Organization established a program to oversee systems operated on its behalf by contractors or other\n[check one: Yes or No]                     entities, including organization systems and services residing in the cloud external to the organization? If yes,\n                                 Yes\n                                           besides the improvement opportunities that may have been identified by the OIG, does the program includes\n                                           the following attributes:\n                                           10.1.1. Documented policies and procedures for information security oversight of systems operated on the\n                                 Yes       organization's behalf by contractors or other entities, including organization systems and services residing in\n                                           public cloud.\n\n\n\n\n                                                                                                                                                      Page 52\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to DHS\xe2\x80\x99s FISMA 2013 Questions for Inspectors General                                         Appendix III\n\nStatus of Contractor Systems                10.1 Has the Organization established a program to oversee systems operated on its behalf by contractors or other\n[check one: Yes or No]                          entities, including organization systems and services residing in the cloud external to the organization? If yes,\n                                      Yes\n                                                besides the improvement opportunities that may have been identified by the OIG, does the program includes\n                                                the following attributes:\n                                                10.1.2. The organization obtains sufficient assurance that security controls of such systems and services are\n                                      Yes       effectively implemented and comply with Federal and organization guidelines (NIST SP 800-53: CA-2).\n                                                10.1.3. A complete inventory of systems operated on the organization's behalf by contractors or other entities,\n                                      Yes\n                                                including organization systems and services residing in public cloud.\n                                                10.1.4. The inventory identifies interfaces between these systems and organization-operated systems (NIST\n                                      Yes\n                                                800-53: PM-5).\n                                                10.1.5. The Organization requires appropriate agreements (e.g., MOUs, Interconnection Security Agreements,\n                                      Yes\n                                                contracts, etc.) for interfaces between these systems and those that it owns and operates.\n                                      Yes       10.1.6. The inventory of contractor systems is updated at least annually.\n                                                10.1.7. Systems that are owned or operated by contractors or entities, including organization systems and\n                                      Yes       services residing in public cloud, are compliant with FISMA requirements, OMB policy, and applicable NIST\n                                                guidelines.\n                                            10.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Contractor Systems\n                                            Program that was not noted in the questions above.\n\n11: Security Capital Planning\n\nStatus of Security Capital Planning         11.1 Has the Organization established a security capital planning and investment program for information security?\n[check one: Yes or No]                Yes        If yes, besides the improvement opportunities that may have been identified by the OIG, does the program\n                                                 include the following attributes:\n                                                 11. 1.1. Documented policies and procedures to address information security in the capital planning and\n                                      Yes\n                                                 investment control (CPIC) process.\n                                      Yes        11.1.2. Includes information security requirements as part of the capital planning and investment process.\n                                                 11.1.3. Establishes a discrete line item for information security in organizational programming and\n                                      Yes\n                                                 documentation (NIST 800-53: SA-2).\n                                                 11.1.4. Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required\n                                      Yes\n                                                 (NIST 800-53: PM-3).\n                                      Yes        11.1.5. Ensures that information security resources are available for expenditure as planned.\n                                            11.2. Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Security Capital\n                                            Planning Program that was not noted in the questions above.\n\n\n\n\n                                                                                                                                                           Page 53\n\x0cApproach to Selection of Subset of Systems                                                   Appendix IV\n\nAPPENDIX IV \xe2\x80\x93 APPROACH TO SELECTION OF SUBSET OF SYSTEMS\n\nIn fiscal year (FY) 2013, a risk-based approach was employed to determine the subset of United States\nDepartment of the Treasury (Treasury) information systems for the FISMA Evaluation. The universe for\nthis subset only included major business applications and general support systems with a security\nclassification of \xe2\x80\x9cmoderate\xe2\x80\x9d or \xe2\x80\x9chigh.\xe2\x80\x9d We used the system inventory contained within the Trusted Agent\nFISMA system (TAF) as the population for this subset.\n\nBased on historical trends in the Treasury systems inventory and past reviews, we used a subset size of 25\nfrom the total population of Treasury major applications and general support systems with a security\nclassification of \xe2\x80\x9cModerate\xe2\x80\x9d or \xe2\x80\x9cHigh.\xe2\x80\x9d Based on their lower risk, we elected not to incorporate any\nsystems with a FIPS 199 System Impact Level of \xe2\x80\x9cLow\xe2\x80\x9d into the population of applications to be\nselected. We then applied the weighting of IRS systems to non-IRS bureau systems to the total subset size\nin order to determine the IRS and non-IRS bureau subset sizes.\n\nTo select the subset, we stratified the full population of Treasury major applications and general support\nsystems by bureau and by FIPS 199 system impact level. We used a risk-based approach to select systems\nout of each stratum. We considered the following factors to select system:\n\n   \xe2\x80\xa2   Total number of systems per bureau.\n   \xe2\x80\xa2   Systems at smaller bureaus not historically included in FISMA audits or evaluations.\n   \xe2\x80\xa2   Number of systems at each bureau with a FIPS system impact level of \xe2\x80\x9cHigh.\xe2\x80\x9d\n   \xe2\x80\xa2   Location of the system.\n   \xe2\x80\xa2   Whether the system is going to be decommissioned prior to December 31, 2013.\n   \xe2\x80\xa2   Whether the system was identified in a previous FISMA audits or evaluations within the past two\n       years.\n\nLastly, the total number of financial systems selected in the subset would not exceed the percentage of\nsystems they represent in the Treasury inventory of information systems. We defined financial systems as\nthose information systems that have been designated as \xe2\x80\x9cFinancial\xe2\x80\x9d or \xe2\x80\x9cMixed Financial\xe2\x80\x9d systems in the\nTreasury\xe2\x80\x99s TAF System.\n\nBased on our analysis of the Treasury inventory of information systems as of May 16, 2013, we noted a\ntotal of 188 major applications and general support systems with a security classification of moderate or\nhigh are contained within the Treasury-wide inventory. The following table provides our analysis of the\ncomposition of the Treasury\xe2\x80\x99s inventory of major applications and general support systems.\n\n                      Total            IRS Financial IRS Non-            Non-IRS           Non-IRS\n                                       Systems       Financial           Financial         Non-\n                                                     Systems             Systems           Financial\n                                                                                           Systems\nMajor\n                           135                2               50                36               47\nApplications\nGeneral Support\n                              53              0               23                2                28\nSystems\nTotal                      188                2               72                38               75\n\n\n\n\n                                                                                                   Page 54\n\x0cApproach to Selection of Subset of Systems                                                                       Appendix IV\n\nFrom the analysis above, it was determined that IRS systems make up 40% of the total population of\nMajor Applications and General Support systems and Non-IRS systems make up 60%. When the IRS to\nNon-IRS weighting is applied to subset size of 25 from the total population, the resulting sizes for the IRS\nand Non-IRS subsets are 10 and 15, respectively.\n\nWe determined that Major Applications account for 73% of the population of the Non-IRS population and\nGeneral Support Systems account for 27%. We further determined that systems designated as \xe2\x80\x9cFinancial\xe2\x80\x9d\nand \xe2\x80\x9cMixed Financial\xe2\x80\x9d in TAF account for 34% of all Non-IRS Major Applications and General Support\nSystems. Lastly, we determined that 33% of the Non-IRS Major Applications and General Support\nSystems are assigned a FIPS 199 System Impact Level of \xe2\x80\x9cHigh,\xe2\x80\x9d while 67% are assigned a FIPS 199\nSystem Impact Level of \xe2\x80\x9cModerate.\xe2\x80\x9d\n\n     Total Selected                                                                                 15\n     Total Major Applications                                                                       11\n     Total General Support Systems                                                                   4\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cHigh\xe2\x80\x9d                                     3\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cModerate\xe2\x80\x9d                                12\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cLow\xe2\x80\x9d                                      0\n     Total Systems Designated as Financial                                                           3\n        (Note: During the evaluation, one of the high financial systems was determined to be retiring in early\n        FY 2014, so a moderate non-financial system was used to replace it.)\n\nWe further stratified the number of information systems by each bureau to determine the total percentage\nof information systems at each Non-IRS bureau, based on the total population of the 113 Non-IRS\ninformation systems. We used this information as a baseline to determine the total number of systems to\nselect at each bureau or office:\n\n         Bureau               Total Systems              Percentage of             Total Number of\n                                                         Total Non-IRS             Non-IRS Systems\n                                                          Population                 to be Select\n     BEP                               6                       5%                          1\n     Fiscal Service                   52                      44%                          5\n     CDFI Fund                         2                       2%                   0 (See Note 1)\n     DO                               24                      20%                          3\n     FinCEN                            7                       6%                          1\n     Mint                              9                       8%                          1\n     OCC                               7                       6%                          1\n     OIG                               1                       1%                   1 (See Note 2)\n     TIGTA                             2                       2%                   1 (See Note 2)\n     TTB                               3                       3%                   1 (See Note 2)\n     Total                           113                     100%                         15\n        (Note 1: Per instructions from the OIG, we did not sample any systems from CDFI Fund, because their\n        systems had been selected in the past 2 years.)\n        (Note 2: Using this methodology initially did not yield a system being selected at these agencies.\n        However, using our risk-based methodology, we elected to select one system for each of these agencies\n        and decrease the number of systems for Fiscal Service.)\n\n\n\n\n                                                                                                                      Page 55\n\x0cGlossary of Terms                                                            Appendix V\n\nAPPENDIX V \xe2\x80\x93 GLOSSARY OF TERMS\n         Acronym                                       Definition\nAC                  Access Control\nThe Act             Title III of the E-government Act of 2002\nACIOCS              Associate Chief Information Officer for Cyber Security\nAU                  Audit and Accountability\nBCP                 Business Continuity Planning\nBEP                 Bureau of Engraving and Printing\nBIA                 Business Impact Analysis\nBLSR                Fiscal Service Baseline Services Requirements\nBureaus             Bureaus/Offices\nBPD                 Bureau of the Public Debt\nCA                  Security Assessment and Authorization\nCAT                 Category\nC&A                 Certification and Accreditation\nCDFI Fund           Community Development Financial Institutions Fund\nCIO                 Chief Information Officer\nCIP                 Critical Infrastructure Protection\nCISO                Chief Information Security Officer\nCM                  Configuration Management\nCOOP                Continuity of Operations Plan\nCOR                 Contracting Officer Representative\nCP                  Contingency Planning\nCPIC                Capital Planning and Investment Control\nCSIRC               Computer Security Incident Response Center\nCSS                 Cyber Security Sub-Council\nDHS                 Department of Homeland Security\nDO                  Departmental Offices\nDRP                 Disaster Recovery Plan\nFCD                 Federal Continuity Directive\nFinCEN              Financial Crimes Enforcement Network\nFIPS                Federal Information Processing Standards\nFiscal Service      Bureau of the Fiscal Service\nFISMA               Federal Information Security Management Act\nFMS                 Financial Management Service\nFY                  Fiscal Year\nHSPD                Homeland Security Presidential Directive\nIA                  Identification and Authentication\nIG                  Inspector General\nIP                  Internet Protocol\nIR                  Incident Response & Reporting\n\n\n                                                                                 Page 56\n\x0cGlossary of Terms                                                                 Appendix V\n\n        Acronym                                      Definition\nIRS                 Internal Revenue Service\nISSO                Information System Security Officer\nIT                  Information Technology\nKPMG                KPMG LLP\nMint                United States Mint\nMOU                 Memorandum of Understanding\nNIST                National Institute of Standards and Technology\nOCC                 Office of the Comptroller of the Currency\nOCIO                Office of the Chief Information Officer\nOIG                 Office of Inspector General\nOMB                 Office of Management and Budget\nOTS                 Office of Thrift Supervision\nPIV                 Personal Identity Verification\nPL                  Planning\nPOA&M               Plan of Action and Milestones\nPL                  Planning\nPM                  Program Management\nPS                  Personnel Security\nRA                  Risk Assessment\nRev.                Revision\nSC                  System & Communications Protection\nSI                  System and Information Integrity\nSIGTARP             Special Inspector General for the Troubled Asset Relief Program\nSA                  System and Services Acquisition\nSOP                 Standard Operating Procedure\nSP                  Special Publication\nSSP                 System Security Plan\nTAF                 Trusted Agent FISMA\nTARP                Troubled Asset Relief Program\nTCSIRC              Treasury Computer Security Incident Response Capability\nTD P                Treasury Directive Publication\nTIGTA               Treasury Inspector General for Tax Administration\nTLMS                Treasury Learning Management System\nTreasury            The Department of the Treasury\nTTB                 Alcohol and Tobacco Tax and Trade Bureau\nTT&E                Test, Training & Exercise\nUPS                 United Parcel Service\nUS-CERT             United States Computer Emergency Readiness Team\nUSGCB               United Stated Government Configuration Baseline\n\n\n\n\n                                                                                      Page 57\n\x0c    THIS PAGE INTENTIONALLY LEFT BLANK\n\xc2\xa0\n\x0c            ATTACHMENT 2\n\n    Treasury Inspector General for Tax\nAdministration \xe2\x80\x93 Federal Information Security\n  Management Act Report for Fiscal Year\n   2013, (Reference No. 2013-20-128),\n            September 27, 2013\n\x0c    THIS PAGE INTENTIONALLY LEFT BLANK\n\xc2\xa0\n\x0cTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Treasury Inspector General for Tax\n                Administration \xe2\x80\x93 Federal Information Security\n                Management Act Report for Fiscal Year 2013\n\n\n\n                                        September 27, 2013\n\n                              Reference Number: 2013-20-128\n\n\n\n\n  This report remains the property of the Treasury Inspector General for Tax Administration (TIGTA) and\n   may not be disseminated beyond the Internal Revenue Service without the permission of the TIGTA.\n       This report may contain confidential return information protected from disclosure pursuant to\n   I.R.C. \xc2\xa7 6103(a). Such information may be disclosed only to Department of the Treasury employees\n     who have a need to know this information in connection with their official tax administration duties.\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                                   HIGHLIGHTS\n\n\nTREASURY INSPECTOR GENERAL FOR                            \xe2\x80\xa2   Continuous Monitoring Management.\nTAX ADMINISTRATION \xe2\x80\x93 FEDERAL                              \xe2\x80\xa2   Risk Management.\nINFORMATION SECURITY\nMANAGEMENT ACT REPORT FOR                                 \xe2\x80\xa2   Plan of Action and Milestones.\nFISCAL YEAR 2013                                          \xe2\x80\xa2   Contingency Planning.\n                                                          \xe2\x80\xa2   Contractor Systems.\nHighlights                                                \xe2\x80\xa2   Security Capital Planning.\n                                                      Three of the nine security program areas, while\nIssued on September 27, 2013\n                                                      generally compliant, were not fully effective due\n                                                      to one program attribute that was missing or not\nHighlights of Reference Number: 2013-20-128\n                                                      working as intended:\nto the Department of the Treasury, Office of the\nInspector General, Assistant Inspector General            \xe2\x80\xa2   Incident Response and Reporting.\nfor Audit.\n                                                          \xe2\x80\xa2   Security Training.\nIMPACT ON TAXPAYERS                                       \xe2\x80\xa2   Remote Access Management.\nThe IRS collects and maintains a significant          However, two of the 11 security program areas\namount of personal and financial information on       were not compliant with FISMA requirements\neach taxpayer. The Federal Information                and did not meet the level of performance\nSecurity Management Act (FISMA) was enacted           specified by the DHS\xe2\x80\x99s FY 2013 Inspector\nto strengthen the security of information and         General Federal Information Security\nsystems within Federal Government agencies.           Management Act Reporting Metrics due to the\nUntil the IRS takes steps to fully implement all      majority of the DHS-specified attributes being\n11 security program areas covered by FISMA,           missing or not working as intended:\ntaxpayer data will remain vulnerable to\ninappropriate use, modification, or disclosure,           \xe2\x80\xa2   Configuration Management.\npossibly without being detected.\n                                                          \xe2\x80\xa2   Identity and Access Management.\nWHY TIGTA DID THE AUDIT\n                                                      WHAT TIGTA RECOMMENDED\nAs part of the FISMA legislation, the Offices of\n                                                      TIGTA does not include recommendations as\nInspectors General are required to perform an\n                                                      part of its annual FISMA evaluation and reports\nannual independent evaluation of each Federal\n                                                      only on the level of performance achieved by the\nagency\xe2\x80\x99s information security programs and\n                                                      IRS using the guidelines issued by the DHS for\npractices. This report presents the results of\n                                                      the applicable FISMA evaluation period.\nTIGTA\xe2\x80\x99s FISMA evaluation of the IRS\xe2\x80\x99s\ninformation security program for Fiscal\nYear (FY) 2013.\nWHAT TIGTA FOUND\nBased on our FY 2013 FISMA evaluation,\nTIGTA found that nine of 11 security program\nareas were generally compliant with the FISMA\nrequirements. Six of the nine security program\nareas included all of the program attributes\nspecified by the Department of Homeland\nSecurity\xe2\x80\x99s (DHS) FY 2013 Inspector General\nFederal Information Security Management Act\nReporting Metrics:\n\x0c                                                   DEPARTMENT OF THE TREASURY\n\n                                                         WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                 September 27, 2013\n\n\n MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FOR AUDIT\n                OFFICE OF THE INSPECTOR GENERAL\n                DEPARTMENT OF THE TREASURY\n\n\n FROM:                           Michael E. McKenney\n                                 Acting Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 Treasury Inspector General for Tax\n                                 Administration \xe2\x80\x93 Federal Information Security Management Act Report\n                                 for Fiscal Year 2013 (Audit # 201320001)\n\n This report presents the results of the Treasury Inspector General for Tax Administration\xe2\x80\x99s\n Federal Information Security Management Act 1 evaluation of the Internal Revenue Service for\n Fiscal Year 2013. The Act requires the agency\xe2\x80\x99s Inspector General to perform an annual\n independent evaluation of the agency\xe2\x80\x99s information security program and practices to determine\n the effectiveness of such program and practices.\n The report was forwarded to the Treasury Inspector General for consolidation into a report issued\n to the Department of the Treasury Chief Information Officer. Copies of this report are also being\n sent to the IRS managers affected by the report results.\n If you have any questions, please contact me or Alan R. Duncan, Assistant Inspector General for\n Audit (Security and Information Technology Services).\n\n\n\n\n 1\n     Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                   Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\nResults of Review ............................................................................................... Page 3\n          The Internal Revenue Service\xe2\x80\x99s Information Security Program\n          Generally Complies With the Federal Information Security\n          Management Act, but Improvements Are Needed ....................................... Page 3\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 18\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 20\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 21\n          Appendix IV \xe2\x80\x93 Treasury Inspector General for Tax Administration\n          Information Technology Security-Related Reports Issued During the\n          Fiscal Year 2013 Evaluation Period ............................................................. Page 22\n\x0c             Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n          Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                            Abbreviations\n\nCIO                  Chief Information Officer\nCM                   Continuous Monitoring\nDHS                  Department of Homeland Security\nFCD1                 Federal Continuity Directive 1\nFIPS                 Federal Information Processing Standards\nFISMA                Federal Information Security Management Act\nFY                   Fiscal Year\nGAO                  Government Accountability Office\nHSPD-12              Homeland Security Presidential Directive-12\nIP                   Internet Protocol\nIRS                  Internal Revenue Service\nIT                   Information Technology\nNIST                 National Institute of Standards and Technology\nOIG                  Office of the Inspector General\nOMB                  Office of Management and Budget\nPIV                  Personal Identity Verification\nPOA&M                Plan of Action and Milestones\nSCAP                 Security Content Automation Protocol\nSP                   Special Publication\nTIGTA                Treasury Inspector General for Tax Administration\nUS-CERT              United States Computer Emergency Response Team\nUSGCB                United States Government Configuration Baseline\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                                           Background\n\nThe Internal Revenue Service (IRS) collects and maintains a significant amount of personal and\nfinancial information on each taxpayer. As custodians of taxpayer information, the IRS has an\nobligation to protect the confidentiality of this sensitive information against unauthorized access\nor loss. Otherwise, taxpayers could be exposed to invasion of privacy and financial loss or\ndamage from identity theft or other financial crimes.\nThe Federal Information Security Management Act (FISMA) of 2002 1 was enacted to strengthen\nthe security of information and systems within Federal agencies. Under the FISMA, agency\nheads are responsible for providing information security protections commensurate with the risk\nand magnitude of harm resulting from the unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information and information systems. Agency heads are also\nresponsible for complying with the requirements of the FISMA, related Office of Management\nand Budget (OMB) policies, and National Institute of Standards and Technology (NIST)\nprocedures, standards, and guidelines.\nOne of the provisions of the FISMA requires the agencies to have an annual independent\nevaluation of their information security programs and practices performed by the agency\nInspector General or an independent external auditor as determined by the Inspector General. 2\nThe OMB uses the information from the agencies and independent evaluations in its FISMA\noversight capacity to assess agency-specific and Federal Governmentwide security performance,\ndevelop its annual security report to Congress, and assist in improving and maintaining adequate\nagency security performance.\nIn July 2010, the OMB delegated its responsibility to the Department of Homeland Security\n(DHS) for the collection of annual FISMA responses. 3 The DHS issued the FY 2013 Inspector\nGeneral Federal Information Security Management Act Reporting Metrics on\nNovember 30, 2012, for Fiscal Year 4 (FY) 2013 FISMA responses. These reporting metrics\nspecified the security program areas for the Inspectors General to evaluate and listed specific\nattributes that each security program area should include. Detailed information on our audit\n\n\n1\n  Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n2\n  The FISMA evaluation period for the Department of the Treasury is July 1, 2012, through June 30, 2013.\n3\n  In OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of\nthe President and the Department of Homeland Security, OMB delegated the responsibility for various operational\naspects of Federal cyber security to the DHS, including overseeing the agencies\xe2\x80\x99 compliance with the FISMA and\ndeveloping analyses for the OMB to assist in the development of the FISMA annual report.\n4\n  A 12-consecutive-month period ending on the last day of any month. The Federal Government\xe2\x80\x99s fiscal year begins\non October 1 and ends on September 30.\n                                                                                                        Page 1\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2013\n\n\n\nobjective, scope, and methodology is presented in Appendix I. Major contributors to this report\nare listed in Appendix II.\n\n\n\n\n                                                                                         Page 2\n\x0c                       Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                    Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                                         Results of Review\n\nThe Internal Revenue Service\xe2\x80\x99s Information Security Program\nGenerally Complies With the Federal Information Security\nManagement Act, but Improvements Are Needed\nThe DHS FY 2013 Inspector General Federal Information Security Management Act Reporting\nMetrics that were issued on November 30, 2012, specified 11 information security program areas\nand a total of 98 attributes within the 11 areas for the Inspectors General to evaluate and\ndetermine compliance with FISMA requirements. The 11 information security program areas\nare as follows:\n       \xe2\x80\xa2   Continuous Monitoring Management.\n       \xe2\x80\xa2   Configuration Management.\n       \xe2\x80\xa2   Identity and Access Management.\n       \xe2\x80\xa2   Incident Response and Reporting.\n       \xe2\x80\xa2   Risk Management.\n       \xe2\x80\xa2   Security Training.\n       \xe2\x80\xa2   Plan of Action and Milestones (POA&M).\n       \xe2\x80\xa2   Remote Access Management.\n       \xe2\x80\xa2   Contingency Planning.\n       \xe2\x80\xa2   Contractor Systems.\n       \xe2\x80\xa2   Security Capital Planning.\nTo complete our FISMA evaluation, we reviewed a representative judgmental sample 5 of\n10 major IRS information systems. For each system in the sample, we assessed the risk\nmanagement process, the annual testing of controls for continuous monitoring, the testing of\ninformation technology contingency plans, and the plan of action and milestones process. In\naddition, we evaluated the IRS\xe2\x80\x99s enterprise-level processes over configuration management,\nidentity and access management, incident response and reporting, security training, remote\naccess management, contractor systems, and security capital planning. During the FY 2013\nFISMA evaluation period, we also completed seven audits, as shown in Appendix IV, which\nevaluated various aspects of information security at the IRS. We considered the results of these\n\n5\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                                Page 3\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2013\n\n\n\naudits in our evaluation, as well as results from ongoing audits for which draft reports were\nissued to the IRS by August 8, 2013.\nBased on our FY 2013 FISMA evaluation, we determined that nine of the 11 security program\nareas were generally compliant with the FISMA requirements. The following six security\nprogram areas included all of the program attributes specified by the DHS\xe2\x80\x99s FY 2013 Inspector\nGeneral Federal Information Security Management Act Reporting Metrics:\n    \xe2\x80\xa2   Continuous Monitoring Management.\n    \xe2\x80\xa2   Risk Management.\n    \xe2\x80\xa2   Plan of Action and Milestones.\n    \xe2\x80\xa2   Contingency Planning.\n    \xe2\x80\xa2   Contractor Systems.\n    \xe2\x80\xa2   Security Capital Planning.\nThe following three security program areas, while generally compliant, were not fully effective\ndue to one program attribute that was missing or not working as intended:\n    \xe2\x80\xa2   Incident Response and Reporting.\n    \xe2\x80\xa2   Security Training.\n    \xe2\x80\xa2   Remote Access Management.\nHowever, two security program areas were not compliant with FISMA requirements and did not\nmeet the level of performance specified by the DHS\xe2\x80\x99s FY 2013 Inspector General Federal\nInformation Security Management Act Reporting Metrics due to the majority of the\nDHS-specified attributes being missing or not working as intended:\n    \xe2\x80\xa2   Configuration Management.\n    \xe2\x80\xa2   Identity and Access Management\nUntil the IRS takes steps to improve its security program deficiencies and fully implement all\n11 security program areas required by FISMA, taxpayer data will remain vulnerable to\ninappropriate use, modification, or disclosure, possibly without being detected.\nThe following matrix 6 presents TIGTA\xe2\x80\x99s results for the 11 security program areas as specified by\nthe DHS\xe2\x80\x99s FY 2013 Inspector General Federal Information Security Management Act Reporting\nMetrics. We have provided comments to support the \xe2\x80\x9cno\xe2\x80\x9d responses. TIGTA\xe2\x80\x99s results will be\n\n\n\n6\n Many abbreviations in this matrix are used as presented in the original document and are not defined therein.\nHowever, we have provided the definitions in the Abbreviations page after the Table of Contents of this report.\n\n                                                                                                            Page 4\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2013\n\n\n\nconsolidated with the Department of the Treasury Office of Inspector General\xe2\x80\x99s results of\nnon-IRS bureaus and reported to the OMB.\n\n\n\n\n                                                                                            Page 5\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2013\n\n\n\n1: Continuous Monitoring\nStatus of Continuous            1.1. Has the organization established an enterprisewide continuous monitoring\nMonitoring Program                   program that assesses the security state of information systems that is\n[check one: Yes or No]    Yes        consistent with FISMA requirements, OMB policy, and applicable NIST\n                                     guidelines? Besides the improvement opportunities that may have been\n                                     identified by the OIG, does the program include the following attributes?\n                                    1.1.1. Documented policies and procedures for continuous monitoring\n                          Yes\n                                    (NIST SP 800-53: CA-7).\n                                    1.1.2. Documented strategy and plans for continuous monitoring\n                          Yes\n                                    (NIST SP 800-37 Rev 1, Appendix G).\n                                    1.1.3. Ongoing assessments of security controls (system-specific, hybrid, and\n                          Yes       common) that have been performed based on the approved continuous\n                                    monitoring plans (NIST SP 800-53, NIST 800-53A).\n                                    1.1.4. Provides authorizing officials and other key system officials with\n                                    security status reports covering updates to security plans and security\n                          Yes       assessment reports, as well as a common and consistent POA&M program\n                                    that is updated with the frequency defined in the strategy and/or plans\n                                    (NIST SP 800-53, 800-53A).\n                                1.2. Please provide any additional information on the effectiveness of the\n                                organization\xe2\x80\x99s Continuous Monitoring Management Program that was not noted in\n                                the questions above.\n                                TIGTA Comments: The IRS\xe2\x80\x99s annual assessments of system security controls are\n                                predominantly manual. The IRS\xe2\x80\x99s strategy for automating continuous monitoring\n                                includes the implementation of a tool called Archer, which will be a central\n                                repository and analysis engine for assessment results, such as automated\n                                vulnerability scans. Archer is in its initial development phases.\n\n\n2: Configuration Management\nStatus of Configuration         2.1 Has the organization established a security configuration management\nManagement Program                  program that is consistent with FISMA requirements, OMB policy, and\n[check one: Yes or No]    No        applicable NIST guidelines? Besides the improvement opportunities that may\n                                    have been identified by the OIG, does the program include the following\n                                    attributes?\n                          Yes       2.1.1. Documented policies and procedures for configuration management.\n                          Yes       2.1.2. Defined standard baseline configurations.\n\n\n\n\n                                                                                                          Page 6\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2013\n\n\n\n             2.1.3. Assessments of compliance with baseline configurations.\n             TIGTA Comments: The IRS has not deployed automated mechanisms to\n             centrally manage, apply, and verify baseline configuration settings and\n             produce FISMA compliance reports using the NIST-defined Security Content\n      No     Automation Protocol (SCAP) format. During FY 2013, the IRS was in the\n             process of implementing the Security Compliance Posture Monitoring and\n             Reporting application, which is intended to provide the ability to assess\n             compliance with baseline security controls in a SCAP-compliant format on an\n             enterprisewide level; however, its implementation has been delayed.\n             2.1.4. Process for timely (as specified in organization policy or standards)\n             remediation of scan result deviations.\n\n      No     TIGTA Comments: The IRS has not yet fully implemented vulnerability\n             scanning tools and processes on all systems to ensure timely remediation of\n             scan result deviations. Also, the IRS processes to share vulnerability\n             information to system owners and administrators are still under development.\n             2.1.5. For Windows-based components, USGCB secure configuration settings\n      Yes    are fully implemented, and any deviations from USGCB baseline settings are\n             fully documented.\n             2.1.6. Documented proposed or actual changes to the hardware and software\n             configurations.\n             TIGTA Comments: The IRS has not yet fully implemented configuration and\n      No     change management controls to ensure that proposed or actual changes to\n             hardware and software configurations are documented and controlled. During\n             FY 2013, the Enterprise Services organization was in the process of\n             implementing the Enterprise Configuration Management System to provide\n             an enterprise solution for configuration and change management.\n             2.1.7. Process for the timely and secure installation of software patches.\n             TIGTA Comments: The IRS has not yet fully implemented a process to\n             ensure timely and secure installation of software patches. During FY 2013,\n             the IRS was in the process of evaluating tools that have the capability to\n      No     perform automated patch management activities across a multitude of\n             technologies and feed results to a centralized location. During the FY 2013\n             FISMA evaluation period, TIGTA and the Government Accountability Office\n             (GAO) identified critical patches that were missing or installed in an untimely\n             manner on IRS computers.\n             2.1.8. Software assessing (scanning) capabilities are fully implemented.\n             (NIST SP 800-53: RA-5, SI-2)\n      No\n             TIGTA Comments: Monthly vulnerability scans are not being performed on\n             all systems.\n\n\n\n\n                                                                                     Page 7\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                   2.1.9. Configuration-related vulnerabilities, including scan findings, have\n                                   been remediated in a timely manner, as specified in organization policy or\n                                   standards. (NIST SP 800-53: CM-4, CM-6, RA-5, SI-2)\n                                   TIGTA Comments: The IRS has not yet fully implemented vulnerability\n                         No        scanning tools and processes on all systems to ensure timely remediation of\n                                   scan result deviations. Also, IRS processes to share vulnerability information\n                                   with system owners and administrators are still under development. During\n                                   the FY 2013 FISMA evaluation period, TIGTA and the GAO identified\n                                   servers that were not consistently configured to have strong controls.\n                                   2.1.10. Patch management process is fully developed, as specified in\n                                   organization policy or standards. (NIST SP 800-53: CM-3, SI-2)\n                                   TIGTA Comments: The IRS has not yet implemented a process to ensure\n                                   timely and secure installation of software patches. During FY 2013, the IRS\n                         No        was in the process of evaluating tools that have the capability to perform\n                                   automated patch management activities across a multitude of technologies\n                                   and feed results to a centralized location. During FY 2013, TIGTA and the\n                                   GAO identified critical patches that were missing or installed in an untimely\n                                   manner on IRS computers.\n                               2.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Configuration Management Program that was not noted in the\n                               questions above.\n\n\n3: Identity and Access Management\nStatus of Identity and         3.1 Has the organization established an identity and access management program\nAccess Management                  that is consistent with FISMA requirements, OMB policy, and applicable\nProgram [check one:      No        NIST guidelines and identifies users and network devices? Besides the\nYes or No]                         improvement opportunities that may have been identified by the OIG, does\n                                   the program include the following attributes?\n                                   3.1.1. Documented policies and procedures for account and identity\n                         Yes\n                                   management. (NIST SP 800-53: AC-1)\n                                   3.1.2. Identifies all users, including Federal employees, contractors, and\n                                   others who access organization systems. (NIST SP 800-53: AC-2)\n\n                         No        TIGTA Comments: The IRS has not fully implemented unique user\n                                   identification that complies with Homeland Security Presidential Directive-12\n                                   (HSPD-12). In addition, five of our 10 sampled systems did not have the\n                                   NIST SP 800-53 AC-2 security control in place.\n\n                                   3.1.3. Identifies when special access requirements (e.g., multifactor\n                                   authentication) are necessary.\n                         No\n                                   TIGTA Comments: The IRS did not fully implement multifactor\n                                   authentication in compliance with HSPD-12.\n\n\n\n                                                                                                           Page 8\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2013\n\n\n\n             3.1.4. If multifactor authentication is in use, it is linked to the organization\xe2\x80\x99s\n             PIV program where appropriate. (NIST SP 800-53: IA-2)\n\n      No     TIGTA Comments: The IRS has not fully deployed multifactor\n             authentication via the use of an HSPD-12 PIV card for all users for network\n             and local access to nonprivileged or privileged accounts as required by\n             HSPD-12.\n             3.1.5. Organization has planned for implementation of PIV for logical access\n             in accordance with government policies. (HSPD-12, FIPS 201, OMB M-05-\n             24, OMB M-07-06, OMB M-08-01, OMB M-11-11)\n      No     TIGTA Comments: Although the IRS is working to achieve its goal of\n             85 percent mandatory PIV use by the end of Calendar Year 2013,\n             considerable challenges still exist for achieving full compliance due to its\n             legacy environment.\n             3.1.6. Organization has adequately planned for implementation of PIV for\n      Yes    physical access in accordance with government policies. (HSPD-12,\n             FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11)\n             3.1.7. Ensures that the users are granted access based on needs and\n             separation-of-duties principles.\n      No     TIGTA Comments: During FY 2013, TIGTA and the GAO identified users\n             that had been granted more access than needed and instances where the\n             separation-of-duties principle was not enforced.\n             3.1.8. Identifies devices with IP addresses that are attached to the network and\n             distinguishes these devices from users. (IP phones, faxes, and printers are\n             examples of devices attached to the network that are distinguishable from\n      No     desktops, laptops, or servers that have user accounts.)\n             TIGTA Comments: During FY 2013, the IRS was still in the process of\n             implementing tools to achieve automated asset discovery and asset\n             management.\n             3.1.9. Identifies all user and non-user accounts. (Refers to user accounts that\n             are on a system. Data user accounts are created to pull generic information\n      Yes\n             from a database or a guest/anonymous account for generic login purposes.\n             They are not associated with a single user or a specific group of users.)\n             3.1.10. Ensures that accounts are terminated or deactivated once access is no\n             longer required.\n      No     TIGTA Comments: During FY 2013, TIGTA and the GAO identified\n             systems that do not have controls in place to ensure that accounts are\n             terminated or deactivated once access is no longer needed.\n      Yes    3.1.11. Identifies and controls use of shared accounts.\n\n\n\n\n                                                                                        Page 9\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                               3.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Identity and Access Management that was not noted in the\n                               questions above.\n\n\n4: Incident Response and Reporting\nStatus of Incident             4.1 Has the organization established an incident response and reporting program\nResponse and Reporting             that is consistent with FISMA requirements, OMB policy, and applicable\n                         Yes\nProgram [check one:                NIST guidelines? Besides the improvement opportunities that may have been\nYes or No]                         identified by the OIG, does the program include the following attributes?\n                                   4.1.1. Documented policies and procedures for detecting, responding to, and\n                         Yes\n                                   reporting incidents. (NIST SP 800-53: IR-1)\n                         Yes       4.1.2. Comprehensive analysis, validation, and documentation of incidents.\n                                   4.1.3. When applicable, reports to US-CERT within established time frames.\n                                   (NIST SP 800-53, 800-61 OMB M-07-16, M-06-19)\n                         No        TIGTA Comments: The IRS did not always report incidents involving\n                                   Personally Identifiable Information to the US-CERT within established time\n                                   frames due to resource constraints.\n                                   4.1.4. When applicable, reports to law enforcement within established time\n                         Yes\n                                   frames. (NIST SP 800-61)\n                                   4.1.5. Responds to and resolves incidents in a timely manner, as specified in\n                         Yes       organization policy or standards, to minimize further damage.\n                                   (NIST SP 800-53, 800-61; OMB M-07-16, M-06-19)\n                                   4.1.6. Is capable of tracking and managing risks in a virtual/cloud\n                         Yes\n                                   environment, if applicable.\n                         Yes       4.1.7. Is capable of correlating incidents.\n                                   4.1.8. Has sufficient incident monitoring and detection coverage in\n                         Yes       accordance with Government policies. (NIST SP 800-53, 800-61;\n                                   OMB M-07-16, M-06-19)\n                               4.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Incident Management Program that was not noted in the questions\n                               above.\n\n\n5: Risk Management\nStatus of Risk                 5.1 Has the organization established a risk management program that is consistent\nManagement Program                 with FISMA requirements, OMB policy, and applicable NIST guidelines?\n                         Yes\n[check one: Yes or No]             Besides the improvement opportunities that may have been identified by the\n                                   OIG, does the program include the following attributes?\n\n\n\n\n                                                                                                            Page 10\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2013\n\n\n\n             5.1.1. Documented policies and procedures for risk management, including\n      Yes\n             descriptions of the roles and responsibilities of participants in this process.\n             5.1.2. Addresses risk from an organization perspective with the development\n      Yes    of a comprehensive governance structure and organizationwide risk\n             management strategy as described in NIST SP 800-37, Rev.1.\n             5.1.3. Addresses risk from a mission and business process perspective and is\n      Yes    guided by the risk decisions from an organizational perspective, as described\n             in NIST SP 800-37, Rev. 1.\n             5.1.4. Addresses risk from an information system perspective and is guided by\n      Yes    the risk decisions at the organizational perspective and the mission and\n             business perspective, as described in NIST SP 800-37, Rev. 1.\n      Yes    5.1.5. Has an up-to-date system inventory.\n             5.1.6. Categorizes information systems in accordance with Government\n      Yes\n             policies.\n      Yes    5.1.7. Selects an appropriately tailored set of baseline security controls.\n             5.1.8. Implements the tailored set of baseline security controls and describes\n      Yes    how the controls are employed within the information system and its\n             environment of operation.\n             5.1.9. Assesses the security controls using appropriate assessment procedures\n             to determine the extent to which the controls are implemented correctly,\n      Yes\n             operating as intended, and producing the desired outcome with respect to\n             meeting the security requirements for the system.\n             5.1.10. Authorizes information system operation based on a determination of\n             the risk to organizational operations and assets, individuals, other\n      Yes\n             organizations, and the Nation resulting from the operation of the information\n             system and the decision that this risk is acceptable.\n             5.1.11. Ensures that information security controls are monitored on an\n             ongoing basis, including assessing control effectiveness, documenting\n      Yes    changes to the system or its environment of operation, conducting security\n             impact analyses of the associated changes, and reporting the security state of\n             the system to designated organizational officials.\n             5.1.12. Information-system-specific risks (tactical), mission/business-specific\n      Yes    risks, and organizational-level (strategic) risks are communicated to\n             appropriate levels of the organization.\n             5.1.13. Senior officials are briefed on threat activity on a regular basis by\n      Yes\n             appropriate personnel (e.g., Chief Information Security Officer).\n             5.1.14. Prescribes the active involvement of information system owners and\n             common control providers, chief information officers, senior information\n      Yes\n             security officers, authorizing officials, and other roles as applicable in the\n             ongoing management of information-system-related security risks.\n\n\n                                                                                     Page 11\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                   5.1.15. Security authorization package contains system security plan, security\n                         Yes       assessment report, and POA&M in accordance with Government policies.\n                                   (NIST SP 800-18, 800-37)\n                                   5.1.16. Security authorization package contains accreditation boundaries,\n                         Yes       defined in accordance with Government policies, for organization information\n                                   systems.\n                               5.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Risk Management Program that was not noted in the questions\n                               above.\n\n\n6: Security Training\nStatus of Security             6.1 Has the organization established a security training management program that\nTraining Program                   is consistent with FISMA requirements, OMB policy, and applicable NIST\n                         Yes\n[check one: Yes or No]             guidelines? Besides the improvement opportunities that may have been\n                                   identified by the OIG, does the program include the following attributes?\n                                   6.1.1. Documented policies and procedures for security awareness training.\n                         Yes\n                                   (NIST SP 800-53: AT-1)\n                                   6.1.2. Documented policies and procedures for specialized training for users\n                         Yes\n                                   with significant information security responsibilities.\n                                   6.1.3. Security training content based on the organization and roles, as\n                         Yes\n                                   specified in organization policy or standards.\n                                   6.1.4. Identification and tracking of the status of security awareness training\n                         Yes       for all personnel (including employees, contractors, and other organization\n                                   users) with access privileges that require security awareness training.\n                                   6.1.5. Identification and tracking of the status of specialized training for all\n                                   personnel (including employees, contractors, and other organization users)\n                                   with significant information security responsibilities that require specialized\n                         No        training.\n                                   TIGTA Comments: The IRS did not track completions of specialized\n                                   information technology security training by contractors during the FY 2013\n                                   FISMA evaluation period.\n                                   6.1.6. Training material for security awareness training contains appropriate\n                         Yes\n                                   content for the organization. (NIST SP 800-50, 800-53)\n                               6.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Security Training Program that was not noted in the questions\n                               above.\n\n\n\n\n                                                                                                           Page 12\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2013\n\n\n\n7: POA&M\nStatus of POA&M             7.1 Has the organization established a POA&M program that is consistent with\nProgram [check one:             FISMA requirements, OMB policy, and applicable NIST guidelines and\nYes or No]            Yes       tracks and monitors known information security weaknesses? Besides the\n                                improvement opportunities that may have been identified by the OIG, does\n                                the program include the following attributes?\n                                7.1.1. Documented policies and procedures for managing IT security\n                      Yes       weaknesses discovered during security control assessments and that require\n                                remediation.\n                      Yes       7.1.2. Tracks, prioritizes, and remediates weaknesses.\n                      Yes       7.1.3. Ensures that remediation plans are effective for correcting weaknesses.\n                      Yes       7.1.4. Establishes and adheres to milestone remediation dates.\n                                7.1.5. Ensures that resources and ownership are provided for correcting\n                      Yes\n                                weaknesses.\n                                7.1.6. POA&Ms include security weaknesses discovered during assessments\n                                of security controls and that require remediation (do not need to include\n                      Yes\n                                security weaknesses due to a risk-based decision to not implement a security\n                                control). (OMB M-04-25)\n                                7.1.7. Costs associated with remediating weaknesses are identified.\n                      Yes\n                                (NIST SP 800-53: PM-3; OMB M-04-25)\n                                7.1.8. Program officials report progress on remediation to the CIO on a\n                                regular basis, at least quarterly, and the CIO centrally tracks, maintains, and\n                      Yes\n                                independently reviews/validates the POA&M activities at least quarterly.\n                                (NIST SP 800-53: CA-5; OMB M-04-25)\n                            7.2. Please provide any additional information on the effectiveness of the\n                            organization\xe2\x80\x99s POA&M Program that was not noted in the questions above.\n\n\n8: Remote Access Management\nStatus of Remote            8.1 Has the organization established a remote access program that is consistent\nAccess Management               with FISMA requirements, OMB policy, and applicable NIST guidelines?\n                      Yes\nProgram [check one:             Besides the improvement opportunities that may have been identified by the\nYes or No]                      OIG, does the program include the following attributes?\n                                8.1.1. Documented policies and procedures for authorizing, monitoring, and\n                      Yes\n                                controlling all methods of remote access. (NIST SP 800-53: AC-1, AC-17)\n                                8.1.2. Protects against unauthorized connections or subversion of authorized\n                      Yes\n                                connections.\n\n\n\n\n                                                                                                       Page 13\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                   8.1.3. Users are uniquely identified and authenticated for all access.\n                                   (NIST SP 800-46, Section 4.2, Section 5.1)\n                                   TIGTA Comments: System administrators of the virtual private network\n                         No        infrastructure and server components do not use NIST-compliant multifactor\n                                   authentication for local or network access to privileged accounts. In addition,\n                                   virtual private network server components do not comply with password\n                                   requirements.\n                                   8.1.4. Telecommuting policy is fully developed. (NIST SP 800-46, Section\n                         Yes\n                                   5.1)\n                                   8.1.5. If applicable, multifactor authentication is required for remote access.\n                         Yes\n                                   (NIST SP 800-46, Section 2.2, Section 3.3)\n                                   8.1.6. Authentication mechanisms meet NIST SP 800-63 guidance on remote\n                         Yes\n                                   electronic authentication, including strength mechanisms.\n                                   8.1.7. Defines and implements encryption requirements for information\n                         Yes\n                                   transmitted across public networks.\n                                   8.1.8. Remote access sessions, in accordance to OMB M-07-16, are timed-out\n                         Yes\n                                   after 30 minutes of inactivity, after which re-authentication is required.\n                                   8.1.9. Lost or stolen devices are disabled and appropriately reported.\n                         Yes\n                                   (NIST SP 800-46, Section 4.3; US-CERT Incident Reporting Guidelines)\n                                   8.1.10. Remote access rules of behavior are adequate in accordance with\n                         Yes\n                                   Government policies. (NIST SP 800-53: PL-4)\n                                   8.1.11. Remote access user agreements are adequate in accordance with\n                         Yes\n                                   Government policies. (NIST SP 800-46, Section 5.1; NIST SP 800-53: PS-6)\n                               8.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Remote Access Management that was not noted in the questions\n                               above.\n                               8.3. Does the organization have a policy to detect and remove unauthorized\n                         Yes\n                               (rogue) connections?\n\n\n9: Contingency Planning\nStatus of Contingency          9.1 Has the organization established an enterprisewide business\nPlanning Program                   continuity/disaster recovery program that is consistent with FISMA\n[check one: Yes or No]   Yes       requirements, OMB policy, and applicable NIST guidelines? Besides the\n                                   improvement opportunities that may have been identified by the OIG, does\n                                   the program include the following attributes?\n                                   9.1.1. Documented business continuity and disaster recovery policy providing\n                         Yes       the authority and guidance necessary to reduce the impact of a disruptive\n                                   event or disaster. (NIST SP 800-53: CP-1)\n\n\n\n                                                                                                            Page 14\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                 9.1.2. The organization has incorporated the results of its system\xe2\x80\x99s Business\n                                 Impact analysis into the analysis and strategy development efforts for the\n                       Yes\n                                 organization\xe2\x80\x99s Continuity of Operations Plan, Business Continuity Plan, and\n                                 Disaster Recovery Plan. (NIST SP 800-34)\n                                 9.1.3. Development and documentation of division, component, and IT\n                       Yes\n                                 infrastructure recovery strategies, plans, and procedures. (NIST SP 800-34)\n                       Yes       9.1.4. Testing of system-specific contingency plans.\n                                 9.1.5. The documented business continuity and disaster recovery plans are in\n                       Yes\n                                 place and can be implemented when necessary. (FCD1, NIST SP 800-34)\n                                 9.1.6. Development of test, training, and exercises programs. (FCD1, NIST\n                       Yes\n                                 SP 800-34, NIST SP 800-53)\n                                 9.1.7. Testing or exercising of business continuity and disaster recovery plans\n                       Yes\n                                 to determine effectiveness and to maintain current plans.\n                                 9.1.8. After-action report that addresses issues identified during\n                       Yes\n                                 contingency/disaster recovery exercises. (FDC1, NIST SP 800-34)\n                                 9.1.9. Systems that have alternate processing sites. (FCD1, NIST SP 800-34,\n                       Yes\n                                 NIST SP 800-53)\n                                 9.1.10. Alternate processing sites are not subject to the same risks as primary\n                       Yes\n                                 sites. (FCD1, NIST SP 800-34, NIST SP 800-53)\n                                 9.1.11. Backups of information that are performed in a timely manner.\n                       Yes\n                                 (FCD1, NIST SP 800-34, NIST SP 800-53)\n                       Yes       9.1.12. Contingency planning that considers supply chain threats.\n                             9.2. Please provide any additional information on the effectiveness of the\n                             organization\xe2\x80\x99s Contingency Planning that was not noted in the questions above.\n\n\n10: Contractor Systems\nStatus of Contractor         10.1 Has the organization established a program to oversee systems operated on\nSystems [check one:              its behalf by contractors or other entities, including organization systems and\nYes or No]             Yes       services residing in the cloud external to the organization? Besides the\n                                 improvement opportunities that may have been identified by the OIG, does\n                                 the program include the following attributes?\n                                 10.1.1. Documented policies and procedures for information security\n                                 oversight of systems operated on the organization\xe2\x80\x99s behalf by contractors or\n                       Yes\n                                 other entities, including organization systems and services residing in a public\n                                 cloud.\n                                 10.1.2. The organization obtains sufficient assurance that security controls of\n                       Yes       such systems and services are effectively implemented and comply with\n                                 Federal and organization guidelines. (NIST SP 800-53: CA-2)\n\n\n                                                                                                       Page 15\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                    10.1.3. A complete inventory of systems operated on the organization\xe2\x80\x99s behalf\n                                    by contractors or other entities, including organization systems and services\n                                    residing in a public cloud.\n                                    TIGTA Comments: In FY 2013, the IRS maintained two contractor managed\n                                    systems in the Trusted Agent FISMA, the U.S. Department of the Treasury\xe2\x80\x99s\n                          Yes       system for reporting FISMA data. The IRS also maintained a list of 130\n                                    contractor sites in FY 2013 that required annual security reviews because\n                                    each handles or processes IRS information. The IRS Infrastructure and\n                                    Security Review organization conducts reviews to ensure that security\n                                    controls and standards are met and issues reports of findings to these\n                                    contractors.\n                                    10.1.4. The inventory identifies interfaces between these systems and\n                          Yes\n                                    organization-operated systems. (NIST SP 800-53: PM-5)\n                                    10.1.5. The organization requires appropriate agreements (e.g.,\n                                    Memorandums of Understanding, Interconnection Security Agreements,\n                          Yes\n                                    contracts) for interfaces between these systems and those that it owns and\n                                    operates.\n                          Yes       10.1.6. The inventory of contractor systems is updated at least annually.\n                                    10.1.7. Systems that are owned or operated by contractors or entities,\n                                    including organization systems and services residing in a public cloud, are\n                          Yes\n                                    compliant with FISMA requirements, OMB policy, and applicable NIST\n                                    guidelines.\n                                10.2. Please provide any additional information on the effectiveness of the\n                                organization\xe2\x80\x99s Contractor Systems that was not noted in the questions above.\n\n\n11: Security Capital Planning\nStatus of Security              11.1 . Has the organization established a security capital planning and investment\nCapital Planning [check              program for information security? Besides the improvement opportunities\n                          Yes\none: Yes or No]                      that may have been identified by the OIG, does the program include the\n                                     following attributes?\n                                    11.1.1. Documented policies and procedures to address information security\n                          Yes\n                                    in the capital planning and investment control process.\n                                    11.1.2. Includes information security requirements as part of the capital\n                          Yes\n                                    planning and investment process.\n                                    11.1.3. Establishes a discrete line item for information security in\n                          Yes\n                                    organizational programming and documentation. (NIST SP 800-53: SA-2)\n                                    11.1.4. Employs a business case/Exhibit 300/Exhibit 53 to record the\n                          Yes\n                                    information security resources required. (NIST SP 800-53: PM-3)\n                                    11.1.5. Ensures that information security resources are available for\n                          Yes\n                                    expenditure as planned.\n\n                                                                                                            Page 16\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2013\n\n\n\n          11.2. Please provide any additional information on the effectiveness of the\n          organization\xe2\x80\x99s Security Capital Planning that was not noted in the questions\n          above.\n\n\n\n\n                                                                                   Page 17\n\x0c                       Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                    Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                                                                                      Appendix I\n\n\n             Detailed Objective, Scope, and Methodology\n\nOur overall objective was to provide an annual independent evaluation of the effectiveness of the\nIRS\xe2\x80\x99s information technology security program and practices, and to assess the progress made by\nthe IRS in meeting the responsibilities established by the NIST and the OMB. The following\n11 evaluative sections are taken directly from the DHS FY 2013 Inspector General Federal\nInformation Security Management Act Reporting Metrics, issued on November 30, 2012.\n       1.    Continuous Monitoring Management.\n       2.    Configuration Management.\n       3.    Identity and Access Management.\n       4.    Incident Response and Reporting.\n       5.    Risk Management.\n       6.    Security Training.\n       7.    Plan of Action and Milestones.\n       8.    Remote Access Management.\n       9.    Contingency Planning.\n       10.   Contractor Systems.\n       11.   Security Capital Planning.\nTo accomplish our objective, we reviewed a judgmental sample 1 of 10 major IRS information\nsystems from a total of 75 major applications maintained in the Trusted Agent FISMA system as\nof April 11, 2013. We selected a judgmental sample because we did not plan to project the\nresults. We conducted tests to determine the appropriate level of performance that the IRS has\nachieved for each of the security program areas. We also evaluated completed TIGTA work\nduring the FISMA period, as well as audits from the GAO, and determined its applicability to the\nFISMA questions.\nBased on our evaluative work, we indicated with a yes or no whether the IRS had achieved a\nsatisfactory level of performance for each security program area as well as each specific attribute\nlisted in the DHS FY 2013 Inspector General Federal Information Security Management Act\nReporting Metrics. The Department of the Treasury Office of Inspector General will combine\n\n\n\n1\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                               Page 18\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2013\n\n\n\nour results for the IRS with its results for the non-IRS bureaus and submit the combined yes or\nno responses to OMB.\n\n\n\n\n                                                                                         Page 19\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nMidori Ohno, Lead Auditor\nCharles Ekunwe, Senior Auditor\nBret Hunter, Senior Auditor\nMary Jankowski, Senior Auditor\nEsther Wilson, Senior Auditor\nTina Wong, Senior Auditor\n\n\n\n\n                                                                                     Page 20\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                                                    Appendix III\n\n                         Report Distribution List\n\nPrincipal Deputy Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nOffice of the Deputy Commissioner for Services and Enforcement SE\nDeputy Commissioner for Operations Support OS\nChief Technology Officer OS:CTO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                          Page 21\n\x0c              Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n           Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                                                           Appendix IV\n\n Treasury Inspector General for Tax Administration\n  Information Technology Security-Related Reports\nIssued During the Fiscal Year 2013 Evaluation Period\n\n 1. TIGTA, Ref. No. 2012-20-099, Audit Trails Did Not Comply With Standards or Fully\n    Support Investigations of Unauthorized Disclosure of Taxpayer Data (Sept. 2012).\n 2. TIGTA, Ref. No. 2012-20-112, An Enterprise Approach Is Needed to Address the\n    Security Risk of Unpatched Computers (Sept. 2012).\n 3. TIGTA, Ref. No. 2012-20-109, The Customer Account Data Engine 2 Database Was\n    Initialized; However, Database and Security Risks Remain, and Initial Timeframes to\n    Provide Data to Three Downstream Systems May Not Be Met (Sept. 2012).\n 4. TIGTA, Ref. No. 2012-20-115, Using SmartID Cards to Access Computer Systems Is\n    Taking Longer Than Expected (Sept. 2012).\n 5. TIGTA, Ref. No. 2013-20-016, Significant Delays Hindered Efforts to Provide\n    Continuous Monitoring of Security Settings on Computer Workstations (Jan. 2013).\n 6. TIGTA, Ref. No. 2013-20-023, Improvements Are Needed to Ensure the Effectiveness of\n    the Privacy Impact Assessment Process (Feb. 2013).\n 7. TIGTA, Ref. No. 2013-20-030, Integrated Financial System Updates Are Improving\n    System Security, but Remaining Weaknesses Should Be Addressed (Mar. 2013).\n\n\n\n\n                                                                                   Page 22\n\x0c"